bg-wa Posted March 10, 2017 Posted March 10, 2017 [Payload] Ghost Cleanup https://github.com/bg-wa/bashbunny-payloads/tree/develop/payloads/library/ghost_cleanup The goal of this payload is to provide a universal (WIn/Mac/Lin) HID script to clean up your tracks after an attack. The idea is to have this as a switch 2 payload to easily execute after an attack. Currently, I have code to: Select OS (Defaults to linux, but can be switched manually or with attack 1, by writing an appropriately named file to the BB loot folder) Ducky script from E2124 to open cmd/terminal Clear input history [mac/linux] Clear all bash history (or optioanlly set how many lines to remove from the end of ~./bash_history) [Win] use regedit to remove run commands [Win] Remove extra Ethernet adapters created by BB. (*WIP, looking at different methods) Comments providing guidance on where to insert your custom cleanup code for each platform Please feel free for fork and contribute! ** This script is a Work in Progress, as I'm still waiting on my BashBunny to arrive. 1 Quote
sWeed Posted March 21, 2017 Posted March 21, 2017 Quick and Dirty Solution for Windows Clean_Win_Reg.cmd @echo off setlocal enableextensions enabledelayedexpansion # Nr of lines deleting from Registry set len=3 set /a len_pos=%len%-1 # Get the MRUList from Registry and save it to %mru% for /f "tokens=2*" %%a in ('reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /v MRUList') do set "mru=%%b" # Count chars for /f %%c in ('cmd /u /v /q /c"(echo(!mru!)" ^| find /v "" ^| findstr /r /c:"[a-z]" ^| find /c /v ""') do set "str_len=%%c" # Get the last Nr of defined lines from MRUList set list=!mru:~0,%len%! # Set the new MRUList set original_list=!mru:~%len%,%str_len%! # Delete old MRUList reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v MRUList /f # Add new MRUList reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v MRUList /t Reg_Sz /d %original_list% # Delete the last Nr of lines from Registry for /l %%d in (0,1,%len_pos%) do (reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /v !list:~%%d,1! /f) PS: You have to take the REG DELETE "Path" in double Quotes QUACK STRING reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f Quote
bg-wa Posted March 21, 2017 Author Posted March 21, 2017 Thanks @sWeed I'll roll that into the script this evening. Quote
bg-wa Posted March 23, 2017 Author Posted March 23, 2017 This payload has been bumped to a working 1.0 release!! https://github.com/bg-wa/bashbunny-payloads As described, it removes input history from Windows, Mac and Linux. Quote
bg-wa Posted March 24, 2017 Author Posted March 24, 2017 I think I'm going to fork this into a new helper so this logic can be called from any script instead of having to dedicate a switch to it... Quote
bg-wa Posted March 24, 2017 Author Posted March 24, 2017 (edited) ** BUNNY DEBUG HELPER ** I've extracted my debug code to a simple helper with an OFF switch. I'll eventually do a separate PR for this, but if anyone needs a simple debug helper it currently lives on my `develop` branch. https://github.com/bg-wa/bashbunny-payloads/blob/develop/payloads/library/bunny_debug_helpers.sh Edited March 24, 2017 by bg-wa Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.