MrSnowMonster Posted May 22, 2017 Share Posted May 22, 2017 https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber It has been a while since my script was updated so if anyone want to want to help make it more effective or make it faster it would be much appreciated :D Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 23, 2017 Share Posted May 23, 2017 My Slydoor payload also has a similar .ps1 script however it does most of what you have there in far less lines. If I took away all the commenting, echos etc. it would be about 7 lines of grabbing info and writing it to the Bunny. It uses the Get-WmiObject method in Powershell. You can grab computer system data, disk drives and logical disk drives from it. E.g. Get-WmiObject -Class Win32_ComputerSystem | Out-File $BunnyLootFolder -Encoding ASCII Get-WmiObject -Class Win32_DiskDrive | Out-File $BunnyLootFolder -Append -Encoding ASCII Get-WmiObject -Class Win32_LogicalDisk | Out-File $BunnyLootFolder -Append -Encoding ASCII Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 23, 2017 Share Posted May 23, 2017 10 hours ago, MrSnowMonster said: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber It has been a while since my script was updated so if anyone want to want to help make it more effective or make it faster it would be much appreciated :D Applauds.... That is some sexy Powershell. I have very little to offer but have some. If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes. I like them too in Powershell 4 and 5 but 2 doesn't know them. Sticking to wmi will avoid this. On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query. The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe. Wmi filters faster and will return less. Example replacing line 9 and appending onward. $wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'" $BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID On line 33 of same file if you are trying to get the parent path, there is a command for that. $TARGETDIR = Split-Path $TARGETDIR -Parent In info.ps1 file I just see refactoring needing to be done. You are hitting the wmi class of the same classes too many times. That can slow you down. I see networkadapterconfiguration about 3-4 times in there. Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters. In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away. Same goes for physicalmemory. That is what I can see from a glance. 2 Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 23, 2017 Share Posted May 23, 2017 51 minutes ago, PoSHMagiC0de said: Applauds.... That is some sexy Powershell. I have very little to offer but have some. If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes. I like them too in Powershell 4 and 5 but 2 doesn't know them. Sticking to wmi will avoid this. On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query. The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe. Wmi filters faster and will return less. Example replacing line 9 and appending onward. $wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'" $BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID On line 33 of same file if you are trying to get the parent path, there is a command for that. $TARGETDIR = Split-Path $TARGETDIR -Parent In info.ps1 file I just see refactoring needing to be done. You are hitting the wmi class of the same classes too many times. That can slow you down. I see networkadapterconfiguration about 3-4 times in there. Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters. In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away. Same goes for physicalmemory. That is what I can see from a glance. +1. Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted May 23, 2017 Share Posted May 23, 2017 In your payload.txt, you can remove about 10 lines and replace it with one. https://gist.github.com/hink/a8b57d16234042e5adc0182e5e1779c7 GET SWITCH_POSITION takes care of the logic of finding the switch position for you. It's a default extension. Quote Link to comment Share on other sites More sharing options...
MrSnowMonster Posted May 23, 2017 Author Share Posted May 23, 2017 14 hours ago, PoSHMagiC0de said: Applauds.... That is some sexy Powershell. I have very little to offer but have some. If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes. I like them too in Powershell 4 and 5 but 2 doesn't know them. Sticking to wmi will avoid this. On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query. The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe. Wmi filters faster and will return less. Example replacing line 9 and appending onward. $wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'" $BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID On line 33 of same file if you are trying to get the parent path, there is a command for that. $TARGETDIR = Split-Path $TARGETDIR -Parent In info.ps1 file I just see refactoring needing to be done. You are hitting the wmi class of the same classes too many times. That can slow you down. I see networkadapterconfiguration about 3-4 times in there. Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters. In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away. Same goes for physicalmemory. That is what I can see from a glance. Thank you for replying will try to change it up a bit when my exams are over :P Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.