rdub Posted October 29, 2019 Share Posted October 29, 2019 Not sure if this is the right place to discuss but I was able to get the shark to pull LLDP info from the device it is connected to and had it email me the results. It is taking about 64 seconds to go from plugging in to reading the email with the info I need to be able to find the switch a wall port is connected to. I am however bad at formatting the data, any tips or materials to help with formatting the data would be handy. I had to install a few packages first, mailsend and lldpd. Anyone know of more light weight ways to do this I am all ears... After those were installed I setup a payload to wait until it got an IP to run the commands for LLDP and email it to me. This includes the IP the shark pulled from DHCP, LLDP info like the switch port ID, switch management IP, switch model and version. Link to comment Share on other sites More sharing options...
Topknot Posted October 30, 2019 Share Posted October 30, 2019 You and I have similar ideas. Here is how to do the email side. Interested to see what you come up with on the LLDP side.https://forum.openwrt.org/t/openwrt-how-to-send-mail-with-attachment-with-mutt-and-msmtp-gmail/45844 I have followed this guide and email is working for me. Link to comment Share on other sites More sharing options...
rdub Posted October 30, 2019 Author Share Posted October 30, 2019 Oh, I already have it all working! I installed lldpd with opkg. Then I run the command "lldpcli show neighbor detail" and out it to a txt file that gets sent along as the body of the email. Link to comment Share on other sites More sharing options...
Topknot Posted October 31, 2019 Share Posted October 31, 2019 That's excellent! I'm going to add that to the nmap script from MonsieurMarc that I modified. (replaced pastebin exfiltration and with email.) Thanks for the info! I would be interested to see what you payload looks like if you are alright with sharing. 🙂 Link to comment Share on other sites More sharing options...
Darren Kitchen Posted October 31, 2019 Share Posted October 31, 2019 Likewise... I'm also keen on writing some payload snippets or extensions to ease exfiltration via email & http posts for sites like pastebin similar to how easy it is to exfil to Cloud C2 with a command like: C2EXFIL STRING $log_file Payload-Name Link to comment Share on other sites More sharing options...
rdub Posted November 4, 2019 Author Share Posted November 4, 2019 Here are the snippets from my payload for this task. This all assumes that you have installed LLDPD and MAILSEND already. I used the SSH server payload to get the shark online and installed them that way. LED SETUP NETMODE DHCP #Enable SSH Server /etc/init.d/sshd start sleep 10 #Wait for an IP Address and Add this IP info to the loot file - stolen from other script by darren. while ! ifconfig eth0| grep "inet addr" >> /root/loot/info.txt; do sleep 1;done LED ATTACK sleep 2 #Assign LLDPD to eth0 - found without this it would fail lldpd -I eth0 sleep 2 #Restart the LLDPD service - found it would fail without this /etc/init.d/lldpd restart sleep 2 #Copy LLDP info to LOOT file - this is where I could use help formatting the data. lldpcli show neighbor detail > /root/loot/info.txt sleep 2 #Send email with the info from LOOT file to the EMAILADD mailsend -to toADDRESS -from fromADDRESS -starttls -port 587 -auth -smtp SMTPADDRESS -sub "SUBJECT LINE GOES HERE" -mime-type text/plain -msg-body /root/loot/info.txt -v -user fromADDRESSUSER -pass "fromADDRESSPASSWORD" sleep 1 LED FINISH In the end I get an email with this in the body. It needs some work to clean it up with only the data that is useful. inet addr:10.8.29.169 Bcast:10.8.31.255 Mask:255.255.252.0 ------------------------------------------------------------------------------- LLDP neighbors: ------------------------------------------------------------------------------- Interface: eth0, via: LLDP, RID: 1, Time: 0 day, 00:00:01 Chassis: ChassisID: mac 50:65:f3:9a:3e:a0 SysName: 017-156-12506 SysDescr: HP J9774A 2530-8G-PoEP Switch, revision YA.15.12.0015, ROM YA.15.12 (/ws/swbuildm/YA_rel_knoxville_qaoff/code/build/lakes(swbuildm_YA_rel_knoxville_qaoff_rel_knoxville)) MgmtIP: 10.8.0.45 Capability: Bridge, on Port: PortID: local 6 PortDescr: 6 TTL: 120 PMD autoneg: supported: yes, enabled: yes Adv: 10Base-T, HD: yes, FD: yes Adv: 100Base-TX, HD: yes, FD: yes Adv: 1000Base-T, HD: no, FD: yes MAU oper type: 100BaseTXFD - 2 pair category 5 UTP, full duplex mode MDI Power: supported: yes, enabled: yes, pair control: no Device type: PSE Power pairs: signal Class: class 0 VLAN: 17, pvid: yes LLDP-MED: Device Type: Network Connectivity Device Capability: Capabilities, yes Capability: Policy, yes Capability: Location, yes Capability: MDI/PSE, yes ------------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
Jason_Meredith Posted November 19, 2019 Share Posted November 19, 2019 This is exactly what I'm looking for! We have been looking for a way to check ports around the school to see what VLANs are assigned easily. Does anyone have a git for this yet? the C2 option also looks like it could work! a BLE connection to a dashboard app that could be displayed on your mobile device would be supa cool 🙂 Link to comment Share on other sites More sharing options...
Flatlinebb Posted November 20, 2019 Share Posted November 20, 2019 @Jason_Meredith Like this? https://github.com/hak5/sharkjack-payloads/tree/master/payloads/library/recon/Network-Recon-With-Email-Exfil Link to comment Share on other sites More sharing options...
ktdt00 Posted April 11, 2022 Share Posted April 11, 2022 This works really well for me after setting the interface and restarting the service per above BUT I usually have to wait 25-30 seconds after the restart before "show neighbors" will return anything. Has anyone else seen this? Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.