hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added payload to analyse users .lnk files (#228) 

* Add files via upload

* Add files via upload
pull/232/head
Murty007 2017-07-09 22:27:22 +01:00 committed by Sebastian Kinne
parent fd0a0d0f6f
commit 0f83db10f5
9 changed files with 318 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
payloads/library/Incident_Response/Hidden_Images/payload.txt Normal file
View File

@ -0,0 +1,12 @@
LED R B 100
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go

37
payloads/library/Incident_Response/Hidden_Images/readme.md Normal file
View File

@ -0,0 +1,37 @@
Author : Paul Murton
Notes :
My background is in Computer Forensics and Incident Response.
I am new to Powershell, so it's likely that the script is inefficient,
but it does work.
A (naive) user may attempt to hide image(picture) files by simply
renaming them to appear to be other filetypes (i.e. Word documents etc).
This payload uses a powershell script to walk the userprofile to look
for image files that have been hidden in this manner.
It ignores files with image extensions, and checks the file headers
for known image file headers.
The output is put into a CSV file in the folder \loot\image-files
The script can be easily modified to search for other filetypes (maybe
mpg movie files etc)
It should be noted that payload is NOT forensically sound, and if
"proper" forensic tools are available, they should be used.
Tested on ver 1.3
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Purple (blinking)| Attack in progress |
| Green (blinking) | Attack Finished |

80
payloads/library/Incident_Response/Hidden_Images/run.ps1 Normal file
View File

@ -0,0 +1,80 @@
#Get the path and file name that you are using for output
# find connected bashbunny drive:
$VolumeName = "bashbunny"
$computerSystem = Get-CimInstance CIM_ComputerSystem
$backupDrive = $null
get-wmiobject win32_logicaldisk | % {
if ($_.VolumeName -eq $VolumeName) {
$backupDrive = $_.DeviceID
}
}
#See if a loot folder exist in usb. If not create one
$TARGETDIR = $backupDrive + "\loot"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#See if a info folder exist in loot folder. If not create one
$TARGETDIR = $backupDrive + "\loot\Hidden-Image-Files"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#Create a path that will be used to make the file
$datetime = get-date -f yyyy-MM-dd_HH-mm
$backupPath = $backupDrive + "\loot\Hidden-Image-Files\"
#Create output from info script
$TARGETDIR = $MyInvocation.MyCommand.Path
$TARGETDIR = $TARGETDIR -replace ".......$"
cd $TARGETDIR
$jpgheader = "255 216 255"
$bmpheader = "66 77"
$gifheader = "71 73 70"
$tifheader = "73 73 42"
$pngheader = "137 80 78 71 13 10 26 10"
$knownimageextensions = ("jpg", "jpeg", "bmp", "gif", "tif", "tiff", "png")
#walk the files in the user profile
$files = Get-ChildItem $env:USERPROFILE -Recurse -ErrorAction silentlycontinue | select-object -Expand Fullname
foreach ($file in $files)
{
#get extension without . (dot)
$extension = [System.IO.Path]::GetExtension($file).Replace(".", "")
$extension = $extension.ToLower()
#Ignore known image extension
if (!$knownimageextensions.contains($extension) -and (Get-Item $file).length -gt 0.1kb) {
#reset $fileheader
$fileheader = "False"
#Grab header
$2bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 2 -EA ignore)
$3bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 3 -EA ignore)
$8bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 8 -EA ignore)
If ($8bytes -eq $pngheader) {$fileheader = "png"}
Elseif ($3bytes -eq $jpgheader) {$fileheader = "jpg"}
Elseif ($3bytes -eq $gifheader) {$fileheader = "gif"}
Elseif ($3bytes -eq $tifheader) {$fileheader = "tif"}
Elseif ($2bytes -eq $bmpheader) {$fileheader = "bmp"}
if ($fileheader -ne "False") {
[PSCustomObject]@{
File = $file
Header = $fileheader
} | Export-Csv $backupPath\$datetime.csv -notype -Append
}
}
}

12
payloads/library/Incident_Response/Link File analysis/payload.txt Normal file
View File

@ -0,0 +1,12 @@
LED R B 100
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go

31
payloads/library/Incident_Response/Link File analysis/readme.md Normal file
View File

@ -0,0 +1,31 @@
Author : Paul Murton
Notes :
My background is in Computer Forensics and incident response.
I am new to Powershell, so it's likely that the script is inefficient,
but it does work.
In an incident where a user is suspected of exfiltrating data to a USB
storage device, CD/DVD etc, its possible that the user may subsequently
open an exfiltrated file on the media. In this scenario, a local lnk
file will be created, providing evidence of the files existance.
This payload uses a powershell script to search the user profle for lnk
files where the target is on a drive other than the C: Drive.
The output is put into a CSV file in the folder \loot\link-files
Tested on ver 1.3
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Purple (blinking)| Attack in progress |
| Green (blinking) | Attack Finished |

53
payloads/library/Incident_Response/Link File analysis/run.ps1 Normal file
View File

@ -0,0 +1,53 @@
#Remove run history
powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
#Get the path and file name that you are using for output
# find connected bashbunny drive:
$VolumeName = "bashbunny"
$computerSystem = Get-CimInstance CIM_ComputerSystem
$backupDrive = $null
get-wmiobject win32_logicaldisk | % {
if ($_.VolumeName -eq $VolumeName) {
$backupDrive = $_.DeviceID
}
}
#See if a loot folder exist in usb. If not create one
$TARGETDIR = $backupDrive + "\loot"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#See if a info folder exist in loot folder. If not create one
$TARGETDIR = $backupDrive + "\loot\Link-Files"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#Create a path that will be used to make the file
$datetime = get-date -f yyyy-MM-dd_HH-mm
$backupPath = $backupDrive + "\loot\Link-Files\"
#Create output from info script
$TARGETDIR = $MyInvocation.MyCommand.Path
$TARGETDIR = $TARGETDIR -replace ".......$"
cd $TARGETDIR
$files = Get-ChildItem $env:USERPROFILE -Recurse -Filter *.lnk | select-object -Expand Fullname
foreach ($file in $files)
{
$sh = New-Object -ComObject WScript.Shell
$target = $sh.CreateShortcut($file).TargetPath
$created = (Get-ItemProperty $file).CreationTime
$written = (Get-ItemProperty $file).LastWriteTime
[PSCustomObject]@{
Linkfile = $file
Target = $target
File_Created = $created
Last_Written = $written
} | Export-Csv $backupPath\link_files.csv -notype -Append
}

12
payloads/library/recon/Link File analysis/payload.txt Normal file
View File

@ -0,0 +1,12 @@
LED R B 100
ATTACKMODE HID STORAGE
DUCKY_LANG gb
LED B
RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')"
LED G FAST
#Green means good to go

28
payloads/library/recon/Link File analysis/readme.md Normal file
View File

@ -0,0 +1,28 @@
Based on a payload written by Simen Kjeserud
Tested on firmware 1.3
Searches the user profile for .lnk files and reports on the file name,
Target file, Date Created, Date Last Written. Results are provided in
a CSV file.
Output = \loot\Link-Files\link_files.csv
Background
In an incident where it is suspected that a user has exfiltrated
data to a USB drive, the target element of any .lnk files may show
files on external media (i.e. not the C: drive.).
Note - using this payload is NOT forensically sound!
## STATUS
| LED | Status |
| ---------------- | ------------------------------------- |
| Purple (blinking)| Attack in progress |
| Green (blinking) | Attack Finished |

53
payloads/library/recon/Link File analysis/run.ps1 Normal file
View File

@ -0,0 +1,53 @@
#Remove run history
powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
#Get the path and file name that you are using for output
# find connected bashbunny drive:
$VolumeName = "bashbunny"
$computerSystem = Get-CimInstance CIM_ComputerSystem
$backupDrive = $null
get-wmiobject win32_logicaldisk | % {
if ($_.VolumeName -eq $VolumeName) {
$backupDrive = $_.DeviceID
}
}
#See if a loot folder exist in usb. If not create one
$TARGETDIR = $backupDrive + "\loot"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#See if a info folder exist in loot folder. If not create one
$TARGETDIR = $backupDrive + "\loot\Link-Files"
if(!(Test-Path -Path $TARGETDIR )){
New-Item -ItemType directory -Path $TARGETDIR
}
#Create a path that will be used to make the file
$datetime = get-date -f yyyy-MM-dd_HH-mm
$backupPath = $backupDrive + "\loot\Link-Files\"
#Create output from info script
$TARGETDIR = $MyInvocation.MyCommand.Path
$TARGETDIR = $TARGETDIR -replace ".......$"
cd $TARGETDIR
$files = Get-ChildItem $env:USERPROFILE -Recurse -Filter *.lnk | select-object -Expand Fullname
foreach ($file in $files)
{
$sh = New-Object -ComObject WScript.Shell
$target = $sh.CreateShortcut($file).TargetPath
$created = (Get-ItemProperty $file).CreationTime
$written = (Get-ItemProperty $file).LastWriteTime
[PSCustomObject]@{
Linkfile = $file
Target = $target
File_Created = $created
Last_Written = $written
} | Export-Csv $backupPath\link_files.csv -notype -Append
}