Home - addenial/smugglebus GitHub Wiki
SmuggleBus is a USB and netboot/pxe bootable tool, built on barebones Linux, designed to aid penetration testers and red teamers performing physical social engineering exercises.
Upon obtaining physical premises access to the target organization, the SmuggleBus can be used to aid in collection of local credentials and implanting backdoors. This is accomplished by taking advantage of unencrypted system hard drives.
A typical attack flow would consist of the following:
- Pentester obtains a physical access and identifies a desktop system not in use
- unattended, conference room, or kiosk
- The pentester shutsdown the target system and boots into the SmuggleBus
- In seconds, SmuggleBus will then:
- Find and mount the unencrypted system hard drive
- Copy local hives (SAM, SYSTEM, SECURITY, SOFTWARE) onto the SmuggleBus.
- Uses a combination of symmetric and asymmetric cryptography to encrypt files prior writing to flashdrive storage (optional)
- Implant a payload (Meterpreter, Empire, or Cobalt Strike), configured to run as SYSTEM.
- The SmuggleBus will then safely shutdown and return to the standard Windows OS boot.
- Upon boot the system executes the payload. Any uploaded or modified files get cleaned up.
Operating System
The SmuggleBus is built on Tiny Core Linux OS (http://distro.ibiblio.org/tinycorelinux), with only the essential packages loaded in.
When imaged, the following will reside in the SmuggleBus home folder under /home/tc/:
| File | Description |
|---|---|
| startup.sh | Executed on boot. Launches smugglebus.py script, restarts the system upon completion. |
| smugglebus3.py | python3 latest version ~~ |
| smugglebus-legacy.py | Python code that will identify, mount the Windows OS partition, export the hashes, and setup the backdoor. (Based on HashGrab v2.0 by s3my0n, under GNU General Public License) python2.7 |
| public_key.pem | -legacy version - Public key used to encrypt the exported hives prior to writing to flash memory. Optional, encrypts if file exists. |
| payload | Placeholder location for the backdoor implant files (spoolsv.exe and start.exe) |
| .profile | Used to Launch startup.sh when TinyCore is fully loaded |