C1PH3R Posted December 17, 2017 Share Posted December 17, 2017 Link to GitHub: https://github.com/CIPH3R0/bashbunny-payloads Link to pull request: https://github.com/hak5/bashbunny-payloads/pull/301 What the payload does: ##Starts up multiple programs: # BPG (BrowserPasswordGrabber): Grab's passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. # BHG (BrowserHistoryGrabber): Grab's history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. # InfoGrabber: Gather a lot of information about the computer and place it in a text file in loot/info/. # Reverse-Shell: Copy's the file servicehost.txt to startup directory: shell:startup and executes it. Let me know what you think/what you would like to see improved! C1PH3R "Don't look at the branch of the problem, look at the root (C1PH3R)" Link to comment Share on other sites More sharing options...
JediMasterX Posted January 13, 2018 Share Posted January 13, 2018 Thanks... JMX Link to comment Share on other sites More sharing options...
C1PH3R Posted January 13, 2018 Author Share Posted January 13, 2018 14 hours ago, JediMasterX said: Thanks... JMX No problem :) Link to comment Share on other sites More sharing options...
C1PH3R Posted January 18, 2018 Author Share Posted January 18, 2018 Version 2 is now out, with better customizability, commenting. Now you can easily customize delay's, capture the targets ip, do or do not save and execute a reverse shell etc. Link to comment Share on other sites More sharing options...
Rinilyn Posted January 25, 2018 Share Posted January 25, 2018 Scary payload.Nice work!! Latest Kaspersky Internet Security detects nothing! Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 27, 2018 Share Posted January 27, 2018 Your payload might get dinged by Hak5 for the password grabber exe. They do not like binaries in their repo. May have to take it out and add a reference to where people can download it if they wish to. Notice there is a history.exe too. Yeah... Lots of keyboard stuff. You can condense this where the HID is used once and all the scripts just run in sequence (or parallel if you want to get fancy with jobs). Also, you will want to do a Windows 10 check for the antivirus killer. Command is not available in Windows 7. Do not know about Windows 8, 8.1. Link to comment Share on other sites More sharing options...
C1PH3R Posted January 29, 2018 Author Share Posted January 29, 2018 On 1/27/2018 at 1:18 AM, PoSHMagiC0de said: Your payload might get dinged by Hak5 for the password grabber exe. They do not like binaries in their repo. May have to take it out and add a reference to where people can download it if they wish to. Notice there is a history.exe too. Yeah... Lots of keyboard stuff. You can condense this where the HID is used once and all the scripts just run in sequence (or parallel if you want to get fancy with jobs). Also, you will want to do a Windows 10 check for the antivirus killer. Command is not available in Windows 7. Do not know about Windows 8, 8.1. I will maybe take out the .exe's because I have had problems with .exe's on the forums before so I will probably do that, AV killer workes in windows 8.0 or above. The payload does only take 50 seconds so I don't think condensing is needed right now, but I will maybe take a look at it later. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 29, 2018 Share Posted January 29, 2018 Ohhh, those exes are from nirsoft. They have GUIs. That is why you have those ctrl a and ctrl s stuff in there. I was trying to figure that out by just looking. Looked at Nirsoft site and saw what they were. Thought they were cli. Yeah, tougher with those. You might can still be able to pull it off in script by tapping into the natives to launch the app, select its window handle as active and send key stroke commands from script to do the copying. Seen what those apps do. May be able to pull off the same (though more scripts involved) with this combination of scripts from the Empire project. https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection From here there is: Get-BrowserData.ps1 - For history and bookmarks from all browsers. Get-ChromeDump.ps1 - for Chrome creds. Get-FoxDump.ps1 - for Firefox creds. https://github.com/EmpireProject/Empire/tree/master/data/module_source/credentials From here there is: Get-VaultCredential.ps1 - for IE creds since they would be stored in the Credential Vault for Windows. Link to comment Share on other sites More sharing options...
Am3ience Posted February 21, 2018 Share Posted February 21, 2018 does this work for linux as well? Or only Windows? Link to comment Share on other sites More sharing options...
C1PH3R Posted February 21, 2018 Author Share Posted February 21, 2018 14 hours ago, Am3ience said: does this work for linux as well? Or only Windows? I only tested it on windows and since it uses Powershell and WIN r it is not going to work on Linux. However, I am maybe going to try something like this for Linux in the future. Link to comment Share on other sites More sharing options...
C1PH3R Posted February 21, 2018 Author Share Posted February 21, 2018 On 1/29/2018 at 5:39 PM, PoSHMagiC0de said: Ohhh, those exes are from nirsoft. They have GUIs. That is why you have those ctrl a and ctrl s stuff in there. I was trying to figure that out by just looking. Looked at Nirsoft site and saw what they were. Thought they were cli. Yeah, tougher with those. You might can still be able to pull it off in script by tapping into the natives to launch the app, select its window handle as active and send key stroke commands from script to do the copying. Seen what those apps do. May be able to pull off the same (though more scripts involved) with this combination of scripts from the Empire project. https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection From here there is: Get-BrowserData.ps1 - For history and bookmarks from all browsers. Get-ChromeDump.ps1 - for Chrome creds. Get-FoxDump.ps1 - for Firefox creds. https://github.com/EmpireProject/Empire/tree/master/data/module_source/credentials From here there is: Get-VaultCredential.ps1 - for IE creds since they would be stored in the Credential Vault for Windows. I will take a look into that in the future, but since it is working now and I am working on some other stuff it won't be my first priority. Thanks for the link tho! could be very helpful in the future. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.