277 lines
6.5 KiB
Bash
277 lines
6.5 KiB
Bash
|
#!/bin/bash
|
||
|
#
|
||
|
# This payload is for the original Packet Squirrel. It may not work on
|
||
|
# the Packet Squirrel Mark II
|
||
|
#
|
||
|
# Title: NMap Dump
|
||
|
# Description: Dumps NMap scan data to USB storage.
|
||
|
# Author: infoskirmish.com
|
||
|
# Version: 2.0
|
||
|
# Category: sniffing
|
||
|
# Target: Any
|
||
|
# Net Mode: TRANSPARENT
|
||
|
|
||
|
# Updated to the Packet Squirrel Mark II by Hak5
|
||
|
|
||
|
# LEDs
|
||
|
# SUCCESS: Scan complete
|
||
|
# FAIL: No USB storage found
|
||
|
# SCANNING: Rapid White
|
||
|
|
||
|
#### Constants ####
|
||
|
|
||
|
# If you know which interface will allow outbound traffic you can specify it here
|
||
|
# leaving it blank will enable the payload trying to attempt to figure out which
|
||
|
# interface to use.
|
||
|
defaultInterface="lo"
|
||
|
|
||
|
|
||
|
# Number of decoy IPs to spawn
|
||
|
rndDecoyNumber=5
|
||
|
|
||
|
# Spoof the MAC of this device type
|
||
|
spoofDevType="Cisco"
|
||
|
|
||
|
# Seconds to sleep while loading NAT
|
||
|
netSleep=10
|
||
|
|
||
|
# Squirrel NETMODE TRANSPARENT | BRDIGE | NAT | NONE
|
||
|
# BRIDGE mode will preserve the Squirrel IP
|
||
|
mode="BRIDGE"
|
||
|
|
||
|
# When done what should we do? reboot | halt | nothing | poweroff
|
||
|
onEnd="halt"
|
||
|
|
||
|
# Path to store results
|
||
|
lootPath="/usb/loot/nmapdump"
|
||
|
|
||
|
# File name scheme
|
||
|
lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)"
|
||
|
|
||
|
# Clear the log every run?
|
||
|
clearLogs=true
|
||
|
|
||
|
#### Payload Code ####
|
||
|
|
||
|
function finish() {
|
||
|
|
||
|
# Sync filesystem
|
||
|
sync
|
||
|
|
||
|
# Indicate successful shutdown
|
||
|
LED B SUCCESS
|
||
|
sleep 1
|
||
|
|
||
|
# Halt the system
|
||
|
LED OFF
|
||
|
|
||
|
case "$onEnd" in
|
||
|
"poweroff") poweroff ;;
|
||
|
"reboot") reboot ;;
|
||
|
"halt") halt ;;
|
||
|
"nothing") echo "see ya!" >> $lootPath/log.txt ;;
|
||
|
*) reboot;;
|
||
|
esac
|
||
|
|
||
|
}
|
||
|
|
||
|
function run() {
|
||
|
|
||
|
# Create loot directory
|
||
|
mkdir -p $lootPath &> /dev/null
|
||
|
|
||
|
# Clear the logs
|
||
|
if [ "${clearLogs}x" == "truex" ]; then
|
||
|
echo > ${lootPath}/log.txt
|
||
|
fi
|
||
|
|
||
|
# Set networking mode to user preferance and sleep to allow time to sync up.
|
||
|
# If set to NONE this will not be set and thus not kick you out of your SSH session.
|
||
|
if [ "$mode" != "NONE" ]; then
|
||
|
|
||
|
NETMODE $mode
|
||
|
sleep $netSleep
|
||
|
|
||
|
fi
|
||
|
|
||
|
# Log ifconfig data; helpful for troubleshooting
|
||
|
ifconfig >> $lootPath/log.txt
|
||
|
|
||
|
# Starting scanning LED (rapid white blink)
|
||
|
LED W VERYFAST
|
||
|
|
||
|
# Run nmap scan with options
|
||
|
|
||
|
# Now lets figure out which interface to use.
|
||
|
iface=$(ip -o link show | awk '{print $2}')
|
||
|
|
||
|
# Set ipv6 default to null
|
||
|
ipv6=""
|
||
|
|
||
|
# Now lets look at the ip addresses assigned to the various interfaces.
|
||
|
while IFS= read -r line; do
|
||
|
|
||
|
# Standardize interface name
|
||
|
line="${line//:}"
|
||
|
|
||
|
# We can skip lo
|
||
|
if [ "$line" != "lo" ]; then
|
||
|
|
||
|
# Get IP Address for Interface.
|
||
|
ifip=$(ifconfig $line 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://')
|
||
|
|
||
|
# Make sure result is not null.
|
||
|
if [ "$ifip" ]; then
|
||
|
|
||
|
# Store for later use the ip addresses associted with interface.
|
||
|
# We don't want an empty 1st line.
|
||
|
if [ "$ipaddresses" ]; then
|
||
|
ipaddresses+=$'\n'$ifip
|
||
|
else
|
||
|
ipaddresses=$ifip
|
||
|
fi
|
||
|
|
||
|
# If user has specified a default interface than we can disregard.
|
||
|
if [ ! "$defaultInterface" ]; then
|
||
|
|
||
|
# Store the interface for later use.
|
||
|
# We don't want an empty 1st line.
|
||
|
if [ "$interfaces" ]; then
|
||
|
interfaces+=$'\n'$line
|
||
|
else
|
||
|
interfaces=$line
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
# convert ip to subnet
|
||
|
newSubNet=`echo $ifip | cut -d"." -f1-3`
|
||
|
newSubNet=$newSubNet".1/24"
|
||
|
|
||
|
# Add subnet to list
|
||
|
# We don't want a leading empty character.
|
||
|
if [ "$newSubNet" ]; then
|
||
|
targets+=" $newSubNet"
|
||
|
else
|
||
|
targets=$newSubNet
|
||
|
fi
|
||
|
|
||
|
fi
|
||
|
|
||
|
fi # end our test for lo
|
||
|
|
||
|
done <<< "$iface" # loop to gather IP addresses
|
||
|
|
||
|
# Clean up subnets to remove accidental double spaces.
|
||
|
echo "$targets" | awk '$1=$1' &> /dev/null
|
||
|
|
||
|
# if targets is empty we have no subnets. Let's check if we can find IPv6
|
||
|
if [ ! "$targets" ]; then
|
||
|
|
||
|
# Collect all uniqu IPv6 address that we can ping.
|
||
|
ipv6=$(ping -6 ff02::1 -w 10 2>/dev/null | awk '/from/ {print $4}' | cut -d":" -f1-6 | sort | uniq | tr "\r\n" " ")
|
||
|
if [ ! "$ipv6" ]; then
|
||
|
|
||
|
# We could not find any ipv4 address and ipv6 returned nothing.
|
||
|
echo "Could not accquire any IP addresses to scan." >> $lootPath/log.txt
|
||
|
sync
|
||
|
LED OFF
|
||
|
exit 1
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
# Add lo as some setups the loopback maybe the interface to send out traffic
|
||
|
# If user supplies default interface tie in their selection and disregard the
|
||
|
# auto locate data.
|
||
|
if [ ! "$defaultInterface" ]; then
|
||
|
interfaces+=$'\nlo'
|
||
|
else
|
||
|
interfaces=$defaultInterface
|
||
|
fi
|
||
|
|
||
|
# log subnets and ip addresses we found
|
||
|
echo "Subnets to scan $targets" >> $lootPath/log.txt
|
||
|
echo "IPs to scan $ipaddresses" >> $lootPath/log.txt
|
||
|
|
||
|
# Document the fact we will be scanning ipv6
|
||
|
if [ "$ipv6" ]; then
|
||
|
echo "We will be scanning ipv6 addresses" >> $lootPath/log.txt
|
||
|
fi
|
||
|
|
||
|
# Now lets find the interface that will allow outbound traffic on the LAN.
|
||
|
while IFS= read -r interface; do
|
||
|
|
||
|
# We will use the ip addresses we found to see if this interface can ping it.
|
||
|
while IFS= read -r ip; do
|
||
|
|
||
|
# If we can send ping packets then the interface is likley able to work with nmap
|
||
|
# Determin if we should ping in ipv4 or ipv6
|
||
|
if [ ! "$ipv6" ]; then
|
||
|
|
||
|
if [[ ! $(ping -I $interface $ip -w 3 | grep '0 packets received') ]]; then
|
||
|
|
||
|
# Make sure wee don't end up with a blank first line.
|
||
|
if [ "$goodInterface" ]; then
|
||
|
|
||
|
goodInterfaces+=$'\n'$interface
|
||
|
else
|
||
|
goodInterfaces=$interface
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
else
|
||
|
|
||
|
if [[ ! $(ping -6 ff02::1 -w 3 | grep '0 packets received') ]]; then
|
||
|
|
||
|
# Make sure wee don't end up with a blank first line.
|
||
|
if [ "$goodInterface" ]; then
|
||
|
|
||
|
goodInterfaces+=$'\n'$interface
|
||
|
else
|
||
|
goodInterfaces=$interface
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
fi
|
||
|
|
||
|
done <<< "$ipaddresses" # end loop to find interfaces we can use
|
||
|
|
||
|
done <<< "$interfaces" # end loop to scan interfaces
|
||
|
|
||
|
# Log interfaces we can use
|
||
|
echo "Interfaces allowing outbound traffic: $goodInterfaces" >> $lootPath/log.txt
|
||
|
|
||
|
# Make sure we have interfaces that will allow outbound traffic.
|
||
|
if [ "$goodInterfaces" ]; then
|
||
|
while IFS= read -r goodInterface; do
|
||
|
|
||
|
# Finally! Lets run NMap!
|
||
|
# Use ipv4
|
||
|
if [ ! "$ipv6" ]; then
|
||
|
nmap -Pn -e $goodInterface -sS -F -sV -oA $lootPath/$lootFileNameScheme -D RND:$rndDecoyNumber --randomize-hosts --spoof-mac $spoofDevType $targets >> $lootPath/log.txt
|
||
|
else
|
||
|
# Use ipv6
|
||
|
nmap -Pn -e $goodInterface -sT -F -R -oA $lootPath/$lootFileNameScheme --randomize-hosts --spoof-mac $spoofDevType -6 $ipv6 >> $lootPath/log.txt
|
||
|
fi
|
||
|
|
||
|
done <<< "$goodInterfaces"
|
||
|
|
||
|
else
|
||
|
echo "Could not find any interfaces that will allow outbound traffic." >> $lootPath/log.txt
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
|
||
|
# Done scanning; clean up.
|
||
|
finish
|
||
|
|
||
|
} # end run() function
|
||
|
|
||
|
USB_WAIT
|
||
|
|
||
|
# Show attack LED
|
||
|
LED ATTACK
|
||
|
|
||
|
# ATTACK!!!!
|
||
|
run
|
||
|
|