Jump to content

[PAYLOAD] USB PWNR


C1PH3R

Recommended Posts

Link to GitHub:

https://github.com/CIPH3R0/bashbunny-payloads

Link to pull request:

https://github.com/hak5/bashbunny-payloads/pull/301

What the payload does:

##Starts up multiple programs: 

# BPG (BrowserPasswordGrabber): Grab's passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
# BHG (BrowserHistoryGrabber): Grab's history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
# InfoGrabber: Gather a lot of information about the computer and place it in a text file in loot/info/.
# Reverse-Shell: Copy's the file servicehost.txt to startup directory: shell:startup and executes it.

 

Let me know what you think/what you would like to see improved!

 

C1PH3R

"Don't look at the branch of the problem, look at the root (C1PH3R)"

Link to comment
Share on other sites

  • 4 weeks later...

Your payload might get dinged by Hak5 for the password grabber exe.  They do not like binaries in their repo.  May have to take it out and add a reference to where people can download it if they wish to.  Notice there is a history.exe too.  Yeah...

Lots of keyboard stuff.  You can condense this where the HID is used once and all the scripts just run in sequence (or parallel if you want to get fancy with jobs).

 

Also, you will want to do a Windows 10 check for the antivirus killer.  Command is not available in Windows 7.  Do not know about Windows 8, 8.1.

Link to comment
Share on other sites

On 1/27/2018 at 1:18 AM, PoSHMagiC0de said:

Your payload might get dinged by Hak5 for the password grabber exe.  They do not like binaries in their repo.  May have to take it out and add a reference to where people can download it if they wish to.  Notice there is a history.exe too.  Yeah...

Lots of keyboard stuff.  You can condense this where the HID is used once and all the scripts just run in sequence (or parallel if you want to get fancy with jobs).

 

Also, you will want to do a Windows 10 check for the antivirus killer.  Command is not available in Windows 7.  Do not know about Windows 8, 8.1.

I will maybe take out the .exe's because I have had problems with .exe's on the forums before so I will probably do that, AV killer workes in windows 8.0 or above. The payload does only take 50 seconds so I don't think condensing is needed right now, but I will maybe take a look at it later.

Link to comment
Share on other sites

Ohhh, those exes are from nirsoft.  They have GUIs.  That is why you have those ctrl a and ctrl s stuff in there.  I was trying to figure that out by just looking.  Looked at Nirsoft site and saw what they were.  Thought they were cli.  Yeah, tougher with those.  You might can still be able to pull it off in script by tapping into the natives to launch the app, select its window handle as active and send key stroke commands from script to do the copying.

Seen what those apps do.  May be able to pull off the same (though more scripts involved) with this combination of scripts from the Empire project.

https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection

From here there is:

Get-BrowserData.ps1 - For history and bookmarks from all browsers.

Get-ChromeDump.ps1 - for Chrome creds.

Get-FoxDump.ps1 - for Firefox creds.

 

https://github.com/EmpireProject/Empire/tree/master/data/module_source/credentials

From here there is:

Get-VaultCredential.ps1 - for IE creds since they would be stored in the Credential Vault for Windows.

 

 

Link to comment
Share on other sites

  • 3 weeks later...
14 hours ago, Am3ience said:

does this work for linux as well? Or only Windows?

I only tested it on windows and since it uses Powershell and WIN r it is not going to work on Linux. However, I am maybe going to try something like this for Linux in the future.

Link to comment
Share on other sites

On 1/29/2018 at 5:39 PM, PoSHMagiC0de said:

Ohhh, those exes are from nirsoft.  They have GUIs.  That is why you have those ctrl a and ctrl s stuff in there.  I was trying to figure that out by just looking.  Looked at Nirsoft site and saw what they were.  Thought they were cli.  Yeah, tougher with those.  You might can still be able to pull it off in script by tapping into the natives to launch the app, select its window handle as active and send key stroke commands from script to do the copying.

Seen what those apps do.  May be able to pull off the same (though more scripts involved) with this combination of scripts from the Empire project.

https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection

From here there is:

Get-BrowserData.ps1 - For history and bookmarks from all browsers.

Get-ChromeDump.ps1 - for Chrome creds.

Get-FoxDump.ps1 - for Firefox creds.

 

https://github.com/EmpireProject/Empire/tree/master/data/module_source/credentials

From here there is:

Get-VaultCredential.ps1 - for IE creds since they would be stored in the Credential Vault for Windows.

 

 

I will take a look into that in the future, but since it is working now and I am working on some other stuff it won't be my first priority. Thanks for the link tho! could be very helpful in the future.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...