-
Notifications
You must be signed in to change notification settings - Fork 9
Hook repositories
Tomasz Klim edited this page Mar 19, 2022
·
6 revisions
Each partition recognized by Drive Badger during attack, between mount
and rsync
, is passed through series of hooks. Hooks are functional plugins, cloned into /opt/drivebadger/hooks
directory, processing given filesystem in some more intelligent way, than just copying all data.
-
hook-fstab
- look for/etc/fstab
files, extract all statically definedsmbfs
/cifs
andnfs
shares and exfiltrate them -
hook-wcxftp
- look for Total Commander'swcx_ftp.ini
files with saved FTP passwords, extract and decode passwords, and exfiltrate FTP accounts -
hook-virtual
- look for VMware/Hyper-V virtual drive images and exfiltrate them recursively
You can implement your own hooks. Each hook repository must contain hook.sh
script, accepting 2 arguments:
- source path (where the partition is mounted)
- target root directory (where the exfiltrated data should be written)
© Copyright 2020-2022 by Tomasz Klim Payload.pl