Jump to content

[PAYLOAD] USB_Exfiltrator

Darren Kitchen

By Darren Kitchen
in Payloads

Recommended Posts

Seczilla Newbie

Seczilla

Posted
Posted
5 minutes ago, peterkozmd said:

Can there be a version that snags also images, address books,emails, bookmarks, passwords,etc.  an AIO (all-in one) that takes anything remotely interesting =)

You can adapt it really easy. 

xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul

Just change the *.pdf in line 22 of the e.cmd file to whatever you want.

Link to comment
Share on other sites
Rainman_34 Newbie

Rainman_34

Posted
Posted

Though as @Seczilla said the payload can be modified the bash bunny only has 8GB of storage and an all in one of those might possibly become full VERY quickly.  I think it would be more practical to do like with the Rubber Ducky where it extracts to a separate USB with a specific file name.

Link to comment
Share on other sites
Doctare Newbie

Doctare

Posted
Posted

I must be doing something wrong.  I get the flashing white " Dependencies not met. Responder not installed in /pentest "  

I tried loading the tools and think I did it right.  Also the Bunny does not show up as a WiFi device when I run that script.

 

Link to comment
Share on other sites
Tylor B. Newbie

Tylor B.

Posted
Posted

I have not received my bunny yet (march 10th batch) but had an idea for this, because of the limited space on the bunny 8 GB SSD would it be possible to reroute the loot file directory onto another usb drive then 

 cd /media/usr_name/drive_name/loot

then store files on the other larger/faster driver? would have to have a variable for the usr_name then once found use that to cd onto the other drive I will try to develop farther once I receive mine but anybody got any ideas for this?

Link to comment
Share on other sites
gmonk Newbie

gmonk

Posted
Posted

Something I noticed and perhaps done by design.  After running this payload on a windows 10 system:

  • the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode.
  • in the 'switch2' the install.sh is appended -INSTALLED

Does anyone else observe this on theirs and is that done by design?

Link to comment
Share on other sites
rastating Newbie

rastating

Posted
Posted
10 hours ago, gmonk said:

Something I noticed and perhaps done by design.  After running this payload on a windows 10 system:

  • the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode.
  • in the 'switch2' the install.sh is appended -INSTALLED

Does anyone else observe this on theirs and is that done by design?

Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all).

If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable!

The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.

Link to comment
Share on other sites
TTommy Newbie

TTommy

Posted
Posted

I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny.

What were the steps you followed to get this payload to work because I am not understanding what needs to go where?

1. Move switch to ARM

2. Navigate to Switch# folder

3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder

4. Eject the device

5. Move switch to Switch#

6. Insert device

7. Profit

I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh:

powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd')
. : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 

Does bunny_helpers.sh need to be somewhere special?

Link to comment
Share on other sites
rastating Newbie

rastating

Posted
Posted
12 minutes ago, TTommy said:

I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny.

What were the steps you followed to get this payload to work because I am not understanding what needs to go where?

1. Move switch to ARM

2. Navigate to Switch# folder

3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder

4. Eject the device

5. Move switch to Switch#

6. Insert device

7. Profit

I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh:

powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd')
. : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 

Does bunny_helpers.sh need to be somewhere special?

I tested using the previous version of the payload, that installs the cmd files and vbs file into the root. It looks like you're using the latest version which is supposed to keep everything inside the switch* folder.

If you want to use the previous version, you can grab the files from commit dcace71 on GitHub / this link: https://github.com/hak5/bashbunny-payloads/tree/dcace71e99bfb9e69cd02c30b4bb6db60f93d9d4/payloads/library/usb_exfiltrator

I'll give the new version a test too, and see if I can replicate the problem / try to fix it :)

 

Link to comment
Share on other sites
gmonk Newbie

gmonk

Posted
Posted
11 hours ago, rastating said:

Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all).

If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable!

The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.

Def good to know, thanks for explaining!

Link to comment
Share on other sites
kpeezy Newbie

kpeezy

Posted
Posted

Hey guys quick question,

May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder?

Thank you,
kpeezy

Link to comment
Share on other sites
Black_chameleon Newbie

Black_chameleon

Posted
Posted
1 hour ago, kpeezy said:

Hey guys quick question,

May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder?

Thank you,
kpeezy

Yes!  Copy the contents of the folder over to the switch folder.  They call each other, and each one assumes the next one is in the same location.  Good luck!

Link to comment
Share on other sites
kpeezy Newbie

kpeezy

Posted
Posted
3 hours ago, Black_chameleon said:

Yes!  Copy the contents of the folder over to the switch folder.  They call each other, and each one assumes the next one is in the same location.  Good luck!

Thanks alot! Just got er workin! BADASS! :ph34r:

Link to comment
Share on other sites
trumoo Newbie

trumoo

Posted
Posted

I altered this script to copy a folder from appdata. It copied OK and worked fine, light turned green, safely removed, etc. Problem now is when I go to delete the folder, nothing happens in Windows explorer. The stuff in question is the Chrome folder from %appdata% - I can delete individual files within subdirectories on my Bash Bunny, but when I try to delete or access certain folders in my loot, I get no activity or a message saying

Location is not available - The file or directory is corrupted and unreadable.

What gives? What can I run via cmd line to delete these ghost folders now?

PS: Every time my script finishes, I hear a Ghostbuster saying "light is green; trap is clean"

Link to comment
Share on other sites
nutt318 Newbie

nutt318

Posted
Posted

Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname.

Thanks!

Link to comment
Share on other sites
zerocooler Newbie

zerocooler

Posted
Posted
On 3/15/2017 at 0:01 PM, nutt318 said:

Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname.

Thanks!

I have yet to see any log file. Though, I suppose you could have it write one along-side what it's doing.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...