packetsquirrel-payloads/payloads/recon/nmapdump/payload.sh

277 lines
6.5 KiB
Bash
Raw Normal View History

2017-11-21 00:12:12 +00:00
#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
2017-11-21 00:12:12 +00:00
# Title: NMap Dump
# Description: Dumps NMap scan data to USB storage.
# Author: infoskirmish.com
# Version: 2.0
2017-11-21 00:12:12 +00:00
# Category: sniffing
# Target: Any
# Net Mode: TRANSPARENT
# Updated to the Packet Squirrel Mark II by Hak5
2017-11-21 00:12:12 +00:00
# LEDs
# SUCCESS: Scan complete
# FAIL: No USB storage found
# SCANNING: Rapid White
#### Constants ####
# If you know which interface will allow outbound traffic you can specify it here
# leaving it blank will enable the payload trying to attempt to figure out which
# interface to use.
defaultInterface="lo"
# Number of decoy IPs to spawn
rndDecoyNumber=5
# Spoof the MAC of this device type
spoofDevType="Cisco"
# Seconds to sleep while loading NAT
netSleep=10
# Squirrel NETMODE TRANSPARENT | BRDIGE | NAT | NONE
# BRIDGE mode will preserve the Squirrel IP
mode="BRIDGE"
# When done what should we do? reboot | halt | nothing | poweroff
onEnd="halt"
2017-11-21 00:12:12 +00:00
# Path to store results
lootPath="/usb/loot/nmapdump"
2017-11-21 00:12:12 +00:00
# File name scheme
lootFileNameScheme="nmapdump_$(date +%Y-%m-%d-%H%M)"
2017-11-21 00:12:12 +00:00
# Clear the log every run?
clearLogs=true
2017-11-21 00:12:12 +00:00
#### Payload Code ####
function finish() {
# Sync filesystem
sync
# Indicate successful shutdown
LED B SUCCESS
sleep 1
# Halt the system
LED OFF
case "$onEnd" in
"poweroff") poweroff ;;
"reboot") reboot ;;
"halt") halt ;;
"nothing") echo "see ya!" >> $lootPath/log.txt ;;
*) reboot;;
esac
}
function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Clear the logs
if [ "${clearLogs}x" == "truex" ]; then
echo > ${lootPath}/log.txt
fi
2017-11-21 00:12:12 +00:00
# Set networking mode to user preferance and sleep to allow time to sync up.
# If set to NONE this will not be set and thus not kick you out of your SSH session.
if [ "$mode" != "NONE" ]; then
NETMODE $mode
sleep $netSleep
fi
# Log ifconfig data; helpful for troubleshooting
ifconfig >> $lootPath/log.txt
# Starting scanning LED (rapid white blink)
LED W VERYFAST
# Run nmap scan with options
# Now lets figure out which interface to use.
iface=$(ip -o link show | awk '{print $2}')
# Set ipv6 default to null
ipv6=""
# Now lets look at the ip addresses assigned to the various interfaces.
while IFS= read -r line; do
# Standardize interface name
line="${line//:}"
# We can skip lo
if [ "$line" != "lo" ]; then
# Get IP Address for Interface.
ifip=$(ifconfig $line 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://')
# Make sure result is not null.
if [ "$ifip" ]; then
# Store for later use the ip addresses associted with interface.
# We don't want an empty 1st line.
if [ "$ipaddresses" ]; then
ipaddresses+=$'\n'$ifip
else
ipaddresses=$ifip
fi
# If user has specified a default interface than we can disregard.
if [ ! "$defaultInterface" ]; then
# Store the interface for later use.
# We don't want an empty 1st line.
if [ "$interfaces" ]; then
interfaces+=$'\n'$line
else
interfaces=$line
fi
fi
# convert ip to subnet
newSubNet=`echo $ifip | cut -d"." -f1-3`
newSubNet=$newSubNet".1/24"
# Add subnet to list
# We don't want a leading empty character.
if [ "$newSubNet" ]; then
targets+=" $newSubNet"
else
targets=$newSubNet
fi
fi
fi # end our test for lo
done <<< "$iface" # loop to gather IP addresses
# Clean up subnets to remove accidental double spaces.
echo "$targets" | awk '$1=$1' &> /dev/null
# if targets is empty we have no subnets. Let's check if we can find IPv6
if [ ! "$targets" ]; then
# Collect all uniqu IPv6 address that we can ping.
ipv6=$(ping -6 ff02::1 -w 10 2>/dev/null | awk '/from/ {print $4}' | cut -d":" -f1-6 | sort | uniq | tr "\r\n" " ")
if [ ! "$ipv6" ]; then
# We could not find any ipv4 address and ipv6 returned nothing.
echo "Could not accquire any IP addresses to scan." >> $lootPath/log.txt
sync
LED OFF
exit 1
fi
fi
# Add lo as some setups the loopback maybe the interface to send out traffic
# If user supplies default interface tie in their selection and disregard the
# auto locate data.
if [ ! "$defaultInterface" ]; then
interfaces+=$'\nlo'
else
interfaces=$defaultInterface
fi
# log subnets and ip addresses we found
echo "Subnets to scan $targets" >> $lootPath/log.txt
echo "IPs to scan $ipaddresses" >> $lootPath/log.txt
# Document the fact we will be scanning ipv6
if [ "$ipv6" ]; then
echo "We will be scanning ipv6 addresses" >> $lootPath/log.txt
fi
# Now lets find the interface that will allow outbound traffic on the LAN.
while IFS= read -r interface; do
# We will use the ip addresses we found to see if this interface can ping it.
while IFS= read -r ip; do
# If we can send ping packets then the interface is likley able to work with nmap
# Determin if we should ping in ipv4 or ipv6
if [ ! "$ipv6" ]; then
if [[ ! $(ping -I $interface $ip -w 3 | grep '0 packets received') ]]; then
# Make sure wee don't end up with a blank first line.
if [ "$goodInterface" ]; then
goodInterfaces+=$'\n'$interface
else
goodInterfaces=$interface
fi
fi
else
if [[ ! $(ping -6 ff02::1 -w 3 | grep '0 packets received') ]]; then
# Make sure wee don't end up with a blank first line.
if [ "$goodInterface" ]; then
goodInterfaces+=$'\n'$interface
else
goodInterfaces=$interface
fi
fi
fi
done <<< "$ipaddresses" # end loop to find interfaces we can use
done <<< "$interfaces" # end loop to scan interfaces
# Log interfaces we can use
echo "Interfaces allowing outbound traffic: $goodInterfaces" >> $lootPath/log.txt
# Make sure we have interfaces that will allow outbound traffic.
if [ "$goodInterfaces" ]; then
while IFS= read -r goodInterface; do
# Finally! Lets run NMap!
# Use ipv4
if [ ! "$ipv6" ]; then
nmap -Pn -e $goodInterface -sS -F -sV -oA $lootPath/$lootFileNameScheme -D RND:$rndDecoyNumber --randomize-hosts --spoof-mac $spoofDevType $targets >> $lootPath/log.txt
else
# Use ipv6
nmap -Pn -e $goodInterface -sT -F -R -oA $lootPath/$lootFileNameScheme --randomize-hosts --spoof-mac $spoofDevType -6 $ipv6 >> $lootPath/log.txt
fi
done <<< "$goodInterfaces"
else
echo "Could not find any interfaces that will allow outbound traffic." >> $lootPath/log.txt
exit 1
fi
# Done scanning; clean up.
finish
} # end run() function
USB_WAIT
2017-11-21 00:12:12 +00:00
# Show attack LED
LED ATTACK
2017-11-21 00:12:12 +00:00
# ATTACK!!!!
run
2017-11-21 00:12:12 +00:00