sharkjack-payloads/payloads/library/recon/Network-Recon-framework-pay...
rcoemans 0e190ca030
Network Recon framework payload with logging notification and exfiltration
Swiss knife network reconnaissance payload with options for SSH server, Cloud C2 exfiltration and led blinking for IP address, payload is based on various sample payloads from HAK5, MonsieurMarc, Topknot and others. This payload script has been organized in a way it is easy to be extended with additional recon (attack) functions.

The script has been created in a modular fashion which allows easy extending the script with new functions (e.g. recon, notification or exfiltration functions). The script furthermore incorporates logic to determine already existing loot folders and create a new (unique) loot folder every time the script is executed.
2020-08-20 21:30:12 +02:00
..
payload.sh Network Recon framework payload with logging notification and exfiltration 2020-08-20 21:30:12 +02:00
readme.md Network Recon framework payload with logging notification and exfiltration 2020-08-20 21:30:12 +02:00

readme.md

Network reconnaissance payload for Shark Jack


Author: Robert Coemans Version: 1.0

Description


Swiss knife network reconnaissance payload with options for SSH server, Cloud C2 exfiltration and led blinking for IP address, payload is based on various sample payloads from HAK5, MonsieurMarc, Topknot and others. This payload script has been organized in a way it is easy to be extended with additional recon (attack) functions.

The script has been created in a modular fashion which allows easy extending the script with new functions (e.g. recon, notification or exfiltration functions). The script furthermore incorporates logic to determine already existing loot folders and create a new (unique) loot folder every time the script is executed.

payload.sh


Use

  1. Copy to /root/payload folder with the name payload.sh: /root/payload/payload.sh

Toggles

Toggle Description Values
CHANGE_HOSTNAME Use an alternative hostname by using the variable HOSTNAME true/false
CHANGE_MAC_ADDRESS Use an alternative mac address by using the variable MAC_ADDRESS true/false
LOOKUP_SUBNET Lookup the subnet true/false
COPY_BACK_DHCP_RETRIEVED_DNS_SERVERS Copy back the automatically detected DHCP information e.g. DNS servers and domain true/false
USE_CUSTOM_DNS_SERVER Use a manually specified DNS server true/false
START_SSH_SERVER Start the Secure SHell server (not needed in case Cloud C2 is being used) true/false
CHECK_DEFAULT_GATEWAY Lookup and test the default gateway true/false
CHECK_INTERNET_ACCESS Test Internet connectivity true/false
GET_EXTERNAL_IP_ADDRESS Get the external (public) IP address by using the service specified in the variable PUBLIC_IP_URL true/false
NOTIFY_HOMEY Send start/stop notifications to Homey true/false
NOTIFY_PUSHOVER Send start/stop notifications to Pushover true/false
NOTIFY_SLACK Send start/stop notifications to Slack true/false
START_CLOUD_C2_CLIENT Have script start Cloud C2 client in case Cloud C2 client is not yet started true/false
GRAB_IFCONFIG_LOOT Grab loot around the ETH0 interface true/false
GRAB_TRACEROUTE_LOOT Grab traceroute loot by using the host given in the variable TRACEROUTE_HOST true/false
GRAB_DNS_INFORMATION_LOOT Grab Domain Name System information stored on the Shark Jack (see: RESOLV.CONF variables) true/false
GRAB_PUBLIC_IP_WHOIS_LOOT Grab public WHOIS loot for the external (public) IP address true/false
GRAB_LLDP_LOOT Grab loot around interfaces and neighbours using the Link Layer Discovery Protocol true/false
GRAP_ARP_SCAN_LOOT Grab ARP (Address Resolution Protocol) loot including looking up of MAC addresses true/false
GRAB_NMAP_LOOT Grab NMAP (Network Mapper) loot true/false
GRAB_NMAP_INTERESTING_HOSTS_LOOT Grab NMAP (Network Mapper) loot for interesting files (more extensive NMAP lookup can be enforced) true/false
GRAB_DIG_LOOT Grab DNS loot using DIG true/false
TRY_TO_GET_INTERNAL_DOMAINS Try to get the internal domains automatically (lookup /tmp/resolv.conf.auto) true/false
EXFIL_TO_CLOUD_C2 Exfiltrate loot files and log file to Cloud C2 true/false
EXFIL_TO_PASTEBIN Exfiltrate loot files and log file to Pastebin true/false
EXFIL_TO_SLACK Exfiltrate loot files and log file to Slack true/false
BLINK_INTERNAL_IP_ADDRESS Blink the whole or part of the internal (private) IP address after the loot is in true/false
HALT_SYSTEM_WHEN_DONE Halt the system in order to preserve resources and battery true/false

Variables

Variable Description Values
LOOT_DIR_ROOT Folder on Shark Jack to store loot files and log files {folder e.g. /root/loot/network-recon}
HOSTNAME Custom hostname for the Shark Jack {e.g. shark}
MAC_ADDRESS Custom MAC address for the Shark Jack {e.g. 4a:3f:6d:db:ba:d8}
CUSTOM_NAME_SERVER Custom name server to be used by the Shark Jack {e.g. 192.168.10.1}
RESOLV_CONF_FILE Path to resolv.conf file {e.g. /etc/resolv.conf}
RESOLV_CONF_AUTO_FILE Path to resolv.conf.auto file {e.g. /tmp/resolv.conf.auto}
RESOLV_CONF_TMP_FILE Path to resolv.conf temporary file {e.g. /tmp/resolv.conf}
INTERNET_TEST_HOST Host to be used to test Internet access {e.g. http://www.google.com}
PUBLIC_IP_URL Host to be used to get the external (private) IP address {e.g. http://icanhazip.com}
TRACEROUTE_HOST Host to execute the traceroute against {e.g. 8.8.8.8}
INTERNAL_DOMAINS Manually set (internal) domain {e.g. mydomain.local}
BANDWIDTH_FOR_ARP_SCAN Max. bandwith used by arp-scan {e.g. 100000]
NMAP_OPTIONS_ACTIVE_HOSTS NMAP options to be used for active hosts (NMAP quick scan) {e.g. --top-ports 20}
INTERESTING_HOSTS_PATTERN String of interesting hosts to filter on {e.g. `Synology
NMAP_OPTIONS_INTERESTING_HOSTS NMAP options to be used for interesting hosts (NMAP elaborated scan) {e.g. -v -sS -A -T4}
HOMEY_WEBHOOK_URL WEbhook url for Homey {e.g. https://{your-homey-id}.connect.athom.com/api/manager/logic/webhook/{your-endpoint}
PUSHOVER_API_POST_URL Pushover post API url https://api.pushover.net/1/messages.json
PUSHOVER_APPLICATION_TOKEN Pushover application token {your-application-token}
PUSHOVER_USER_TOKEN Pushover user token {your-user-token}
PUSHOVER_PRIORITY Pushover priority -2 no notification/alert, -1 send as a quiet notification, 1 high-priority and bypass the user's quiet hours
PUSHOVER_DEVICE Pushover device, multiple devices may be separated by a comma {your-device}
PASTEBIN_API_LOGIN_URL Pastebin login API url {e.g. https://pastebin.com/api/api_login.php}
PASTEBIN_API_POST_URL Pastebin post API url {e.g. https://pastebin.com/api/api_post.php}
PASTEBIN_API_USER Pastebin username {e.g. {username}}
PASTEBIN_API_PASSWORD Pastebin password {e.g. {password}}
PASTEBIN_API_KEY Pastebin API key {e.g. {your-api-key}}
PASTEBIN_EXPIRE_DATE Pastebin 'pastes' expiration date N = Never, 10M = 10 Minutes, 1H = 1 Hour, 1D = 1 Day, 1W = 1 Week, 2W = 2 Weeks, 1M = 1 Month, 6M = 6 Months, 1Y = 1 Year
SLACK_API_POST_URL Slack post API url {e.g. https://slack.com/api/chat.postMessage}
SLACK_API_UPLOAD_URL Slack upload API url {e.g. https://slack.com/api/files.upload}
SLACK_OAUTH_TOKEN Slack OAuth token {e.g. {your-oauth-token}}
SLACK_CHANNEL_ID Slack channel identifier {e.g. {your-channel-id}}, use Slack web app to capture channel ID (last bit of URL)
SLACK_USER Slack username which will publish the message {e.g. {your-slack-user}}

Dependencies

This script depends on the following packages:

  • curl
  • lldpd
  • bind-dig
  • bind-host
  • libustream-openssl

Not depended on but good to have:

  • nano

Good to know

  • For setting up Slack (exfiltration and notification) check this tutorial!
  • ARP-SCAN is using files: /usr/share/arp-scan/ieee-iab.txt, /usr/share/arp-scan/ieee-oui.txt and /usr/share/arp-scan/mac-vendor.txt to retrieve vendors based on discovered MAC addresses!
  • Uncomment sections in function BLINK_INTERNAL_IP_ADDRESS in case you want to blink other octets as well!
  • Please note the Pastebin API limitations: guests can create up to 10 new pastes per 24 hours, IP's that make too many requests will be blocked!

NMAP examples

See nmap --help for options.

Parameters Meaning
-sP --host-timeout 30s --max-retries 3 Ping scans the network, listening to hosts that respond tp ping for fast host discovery, a given timeout of 30 seconds and a maximum retries of 3
-p 1-65535 -sV -sS -T4 Full TCP port scan using with service version detection
-v -sS -A -T4 Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services
--top-ports 20 Scan 20 most common ports
-Pn No ping
-O Enable OS detection
-A Enable OS detection, version detection, script scanning and traceroute

Status LED's

Color/Pattern Meaning
Booting up Green blinking
Setting up Magenta solid [LED SETUP]
Failures Red slow blinking [LED FAIL]
Getting loot Yellow single blink [LED ATTACK]
Exfiltrating loot Yellow double blink [LED STAGE2]
Blink IP ADDRESS White blinking (fast blinking = value count, if one of the octets is zero this will be represented as solid for 1 second, long blink = next digit)
Finished Green very fast blinking followed by solid [LED FINISH]

Discussion


Hak5 Forum Thread to be added