Jump to content

[PAYLOAD] USB PWNR


Recommended Posts

Link to GitHub:

https://github.com/CIPH3R0/bashbunny-payloads

Link to pull request:

https://github.com/hak5/bashbunny-payloads/pull/301

What the payload does:

##Starts up multiple programs: 

# BPG (BrowserPasswordGrabber): Grab's passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
# BHG (BrowserHistoryGrabber): Grab's history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 
# InfoGrabber: Gather a lot of information about the computer and place it in a text file in loot/info/.
# Reverse-Shell: Copy's the file servicehost.txt to startup directory: shell:startup and executes it.

 

Let me know what you think/what you would like to see improved!

 

C1PH3R

"Don't look at the branch of the problem, look at the root (C1PH3R)"

Edited by C1PH3R
  • Like 2
Link to post
Share on other sites
  • 4 weeks later...

Version 2 is now out, with better customizability, commenting. Now you can easily customize delay's, capture the targets ip, do or do not save and execute a reverse shell etc.

Edited by C1PH3R
  • Like 1
Link to post
Share on other sites

Your payload might get dinged by Hak5 for the password grabber exe.  They do not like binaries in their repo.  May have to take it out and add a reference to where people can download it if they wish to.  Notice there is a history.exe too.  Yeah...

Lots of keyboard stuff.  You can condense this where the HID is used once and all the scripts just run in sequence (or parallel if you want to get fancy with jobs).

 

Also, you will want to do a Windows 10 check for the antivirus killer.  Command is not available in Windows 7.  Do not know about Windows 8, 8.1.

Edited by PoSHMagiC0de
Link to post
Share on other sites
On 1/27/2018 at 1:18 AM, PoSHMagiC0de said:

Your payload might get dinged by Hak5 for the password grabber exe.  They do not like binaries in their repo.  May have to take it out and add a reference to where people can download it if they wish to.  Notice there is a history.exe too.  Yeah...

Lots of keyboard stuff.  You can condense this where the HID is used once and all the scripts just run in sequence (or parallel if you want to get fancy with jobs).

 

Also, you will want to do a Windows 10 check for the antivirus killer.  Command is not available in Windows 7.  Do not know about Windows 8, 8.1.

I will maybe take out the .exe's because I have had problems with .exe's on the forums before so I will probably do that, AV killer workes in windows 8.0 or above. The payload does only take 50 seconds so I don't think condensing is needed right now, but I will maybe take a look at it later.

Edited by C1PH3R
Link to post
Share on other sites

Ohhh, those exes are from nirsoft.  They have GUIs.  That is why you have those ctrl a and ctrl s stuff in there.  I was trying to figure that out by just looking.  Looked at Nirsoft site and saw what they were.  Thought they were cli.  Yeah, tougher with those.  You might can still be able to pull it off in script by tapping into the natives to launch the app, select its window handle as active and send key stroke commands from script to do the copying.

Seen what those apps do.  May be able to pull off the same (though more scripts involved) with this combination of scripts from the Empire project.

https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection

From here there is:

Get-BrowserData.ps1 - For history and bookmarks from all browsers.

Get-ChromeDump.ps1 - for Chrome creds.

Get-FoxDump.ps1 - for Firefox creds.

 

https://github.com/EmpireProject/Empire/tree/master/data/module_source/credentials

From here there is:

Get-VaultCredential.ps1 - for IE creds since they would be stored in the Credential Vault for Windows.

 

 

Link to post
Share on other sites
  • 3 weeks later...
14 hours ago, Am3ience said:

does this work for linux as well? Or only Windows?

I only tested it on windows and since it uses Powershell and WIN r it is not going to work on Linux. However, I am maybe going to try something like this for Linux in the future.

Link to post
Share on other sites
On 1/29/2018 at 5:39 PM, PoSHMagiC0de said:

Ohhh, those exes are from nirsoft.  They have GUIs.  That is why you have those ctrl a and ctrl s stuff in there.  I was trying to figure that out by just looking.  Looked at Nirsoft site and saw what they were.  Thought they were cli.  Yeah, tougher with those.  You might can still be able to pull it off in script by tapping into the natives to launch the app, select its window handle as active and send key stroke commands from script to do the copying.

Seen what those apps do.  May be able to pull off the same (though more scripts involved) with this combination of scripts from the Empire project.

https://github.com/EmpireProject/Empire/tree/master/data/module_source/collection

From here there is:

Get-BrowserData.ps1 - For history and bookmarks from all browsers.

Get-ChromeDump.ps1 - for Chrome creds.

Get-FoxDump.ps1 - for Firefox creds.

 

https://github.com/EmpireProject/Empire/tree/master/data/module_source/credentials

From here there is:

Get-VaultCredential.ps1 - for IE creds since they would be stored in the Credential Vault for Windows.

 

 

I will take a look into that in the future, but since it is working now and I am working on some other stuff it won't be my first priority. Thanks for the link tho! could be very helpful in the future.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...