hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
bashbunny-payloads/payloads/library/poc/WIN_PoSH_MorseCode
History
cribb-it 6375315a33
Update PoSH_Morsecode, Add Windows 10 Login Screen (#430) 
* Add files via upload

* Update readme.md

* Update payload.txt

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Add files via upload

* Update readme.md

* Update readme.md

* Add Payload WIN_PoSH_HKU_RegBackUp

* Update readme.md

* Update payload.txt

* Change for admin shell

* Update readme.md

* Update payload.txt

* Update payload.txt

* Update readme.md

* Added payload WIN_PoSH_SaveSecurityHive

Added new payload to exfiltration that saves the HKLM security hive to the bunny

* Morse Code File Exfiltration

A bit pointless with limitation of morse code but I thought it was fun to create.

* Update readme.md

* Update for non-alphanumeric

* Update for timing

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Update payload.txt

* New payload - Fake Login

Shows a fake version of the windows 10 login screen

* Update readme.md

* Changes to Fake Login Payload

* Changes to Fake Login
2021-04-22 16:44:33 +01:00
..
b.txt
Morse Code File Exfiltration (#429)
2021-04-04 09:33:48 -07:00
MorseCodeFileExfiltration.ps1
Morse Code File Exfiltration (#429)
2021-04-04 09:33:48 -07:00
payload.txt
Update PoSH_Morsecode, Add Windows 10 Login Screen (#430)
2021-04-22 16:44:33 +01:00
readme.md
Update PoSH_Morsecode, Add Windows 10 Login Screen (#430)
2021-04-22 16:44:33 +01:00

readme.md

Morse Code File Exfiltration

  • Author: Cribbit
  • Version: 1.2
  • Target: Windows (Powershell 5.1+)
  • Category: PoC
  • Attackmode: HID & Storage

Change Log

Version Changes
1.0 Initial release
1.1 Update for non-alphanumeric
1.2 Update for space timing

Description

Reads all txt files in "my documents" and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z)

Update

For characters out side the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value ie (@ = 64 = -.... ....-)

Note

This is not a very useful payload with limitation of morse code but I thought it was fun to create.

The payload uses a base64 encode version of the payload (b.txt) to get round the Script Execution Policy. There is a non-base64 version in the file (MorseCodeFileExfiltration.ps1) so you can see what it is doing.

Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious.

If you do not want to use the base64 version you could change the payload to: RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\MorseCodeFileExfiltration.ps1')"

Colors

Status Color Description
SETUP Magenta solid Setting attack mode
ATTACK Yellow single blink Injecting Powershell script
FINISH Green blink followed by SOLID Script is finished