Jump to content

[PAYLOAD] GIve-Me-My-iP (GIMMP)


InfoSecREDD

Recommended Posts

GIve-Me-My-iP (GIMMP)

This payload is used to force the SharkJack on to Static LAN's. Main Scenario - DHCP is disabled or not present on the LAN, only Static IP Devices. The Payload uses ARP-Scan to scan a Array of Subnets to determine if ANY devices are on those subnets. - If so connect to the last known network with devices and set the IP of the SharkJack to the Subnet and Last Digits you assign in the payload.

Enjoy.

NOTE: This payload requires the Router/LAN to have ARP Scanning enabled. Some Routers/LAN's do not have this feature enabled.

The Code: 
 

#!/bin/bash
#
# Title:        GIve-Me-My-iP! (GIMMP)
# Author:       REDD of Private-Locker
# Version:      1.0
#
# Description:	This payload will determine if DHCP is enabled
# on the LAN. - If not, it will scan a List of Common Network
# Subnets for any Static IP Devices using ARP-scan. Once a valid
# IP is found. It will set the SharkJack to the subnet of the last
# detected Network in the log file with the ending IP digits.
#
# LED SETUP (Magenta)     - Setting up Variables and enviroment
# LED Yellow thru Magenta - Waiting to be plugged in
# LED Cyan thru Magenta   - Scanning Subnets for Static IP Devices
# LED Green Blinking      - DHCP found
# LED Green SOLID         - IP Address found and set to SharkJack
# LED Red SOLID           - Payload failed, No IP addresses detected
# LED FINISH (Green)      - Payload completed
#


# Ending IP digits of the SharkJack.
SET_IP="250"

# Source IP that the ARP-Scan will come from.
FAKE_SRC="192.168.133.7"

# Packet Rate for ARP-Scan.
BANDWIDTH="100000"

# Temp log file for output of script.
TMP_LOG="temp.log"


# Determine if SharkJack gets IP.
while ! ifconfig eth0; do LED M SOLID;sleep .8;LED Y SOLID;sleep .2; done
NETMODE DHCP_CLIENT;
LED M SOLID;
sleep 5;
IP="$(ip route list dev eth0 | awk ' /^default/ {print $3}')"

# Verify variable to compare SharkJack IP.
VERIFY="^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$"

function cleanup() {
	if [ -f "$TMP_LOG" ]; then
        rm -rf $TMP_LOG;
	fi
}
function scan_networks() {
        NETWORKS=(	'192.168.0.0/24'
                    '192.168.1.0/24'
                    '192.168.2.0/24'
                    '192.168.10.0/24'
                    '192.168.100.0/24'
                    '172.16.0.0/24'
                    '172.16.1.0/24'
                    '172.16.2.0/24'
                    '172.16.10.0/24'
                    '172.16.24.0/24'
                    '10.0.0.0/24'
                    '10.0.1.0/24'
                    '10.0.2.0/24'
                    '10.0.10.0/24'
                    '10.10.0.0/24'
                    '10.10.1.0/24'
                    '10.10.2.0/24'
                    '10.10.10.0/24'
                    '10.100.0.0/24'
                    '10.100.1.0/24'
                    '10.100.2.0/24'
                    '10.100.10.0/24'
                )
        for i in "${NETWORKS[@]}"; do
                LED M SOLID;
                arp-scan --arpspa $FAKE_SRC -g -B $BANDWIDTH -I eth0 ${i} >> $TMP_LOG
				LED Y SOLID; sleep .2;
        done
		LED M FAST;
        LAST_IP=$(grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" $TMP_LOG | tail -1 | cut -d"." -f1-3)
        if [ "$LAST_IP" != "" ]; then
				SHARKJACK_IP="${LASTIP}.${SET_IP}"
                ifconfig eth0 ${SHARKJACK_IP}/24 up
				CURRENT_SUBNET="${LAST_IP}"
				CURRENT_GW=$(ip route list dev eth0 | awk ' /^default/ {print $3}')
				LED G SOLID;
        else
			# If no LAN detected, exit.
			LED R SOLID;
			exit 1;
		fi
}

# Start the script. If Valid IP, continue script. - If not lets scan some networks!
if [ -f "$TMP_LOG" ]; then
        rm -rf $TMP_LOG;
else
        touch $TMP_LOG;
fi
if [[ "$IP" =~ $VERIFY ]]; then
        # Gateway found. Continuing script.
		LED G FAST; sleep 1;
elif [ -z "$IP" ]; then
        # No Gateway found (Blank Gateway Variable)
        NETMODE TRANSPARENT;
        scan_networks;
elif [ "$IP" == "172.16.24.1" ]; then
		# Added to detect if the SharkJack remains on the current Arming Mode IP.
        NETMODE TRANSPARENT;
        scan_networks;
else
		# Exiting with exit code 1.
		LED R SOLID;
        exit 1;
fi

# Final Cleanup.
cleanup;

# Run your SCAN's here.. OR ... if you have Internet Tester Payload backed up in SharkLib
LED FINISH
SHARKLIB="/root/payload/sharklib"
PAYLOAD="${SHARKLIB}/'Internet Tester'/payload.sh"
if [ -d "$SHARKLIB" ]; then
	source $PAYLOAD;
fi


Changelog:

  • 1.1 - Initial Release
Edited by REDD
  • Like 1
Link to comment
Share on other sites

  • 1 month later...
6 hours ago, SKiZZ said:

Does this require the script Internet Access Tester be called Internet Tester? I named mine IAT.

Yeah, you can change it whatever you feel like. This was a more of a proof of concept to use ARP to find the correct subnet.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...