Jump to content

Payload Advice Needed


Recommended Posts

ok, so I'm new to this, but if I want to combine a couple of the payloads that's available at hak5 GitHub, can I for example make one payload that has wifi connect payload and the open ap Nmap 

my thought was to copy the payloads into a single payload and make the individual payload a function! Any tips or tricks would be nice! 

My goal is that if it connects to a specific network when it boots up, it will dump the loot to C2, but if it doesn't connect, it will automatically start the Open AP Nmap Scan

this is what I have so far:



# This is a test to see if my network is in range, it will connect home and export the loot to C2 
# if my network is out of range or can't connect to it, it will do the Open AP Attack!

# Title: Simple WiFi Connection Example

# Author: Hak5Darren
# Version: 1.0

function Home() {
# WiFi Client Setup

# optionally start SSH server
# /etc/init.d/sshd start

function OpenAP() {
# Title: Open AP Nmap Scanner
# Author: Hak5Darren
# Version: 1.0
# Description: Scans for open access points, then connects to each and runs an Nmap scan saving logs to the loot folder
# LED SETUP: Scanning
# LED ATTACK: Connected, running nmap scan
# See nmap --help for options. Default "-sP" ping scans the address space for fast host discovery.


function scan_wifi() {
    [[ $DEBUG == 1 ]] && echo Scanning for open access points | tee -a /tmp/payload.log
    iwlist wlan0 scan > /tmp/wifi_scan
    cat /tmp/wifi_scan | grep "Encryption key:off" -A1 | grep ESSID | sort | uniq | cut -c 28- | sed "s/.$//g" > /tmp/open
    total_aps=$(cat /tmp/open | wc -l)
    [[ $DEBUG == 1 ]] && echo Found "$total_aps" open access points | tee -a /tmp/payload.log

function check_ap() {
    current_ap=$(sed -n "$on"p /tmp/open)
    [[ $DEBUG == 1 ]] && echo "-------------------------------" | tee -a /tmp/payload.log
    current_ap_mac=$(cat /tmp/wifi_scan | grep "$current_ap" -B5 | grep Address | awk {'print $5'} | head -1)
    [[ $DEBUG == 1 ]] && echo Selected AP MAC: "$current_ap_mac" | tee -a /tmp/payload.log
    if grep -i -q "$current_ap_mac" /tmp/nmap_scanned; then
        [[ $DEBUG == 1 ]] && echo Skipping - Already scanned AP: "$current_ap" with MAC: "$current_ap_mac" | tee -a /tmp/payload.log

function connect_wifi() {
    [[ $DEBUG == 1 ]] && echo Connecting to Open WiFi AP: "$current_ap" | tee -a /tmp/payload.log
    ifconfig wlan0 down
    iwconfig wlan0 mode Managed essid "$current_ap"
    ifconfig wlan0 up
    while(iwconfig wlan0 | grep Not-Associated); do sleep 1; done
    [[ $DEBUG == 1 ]] && echo "Connected to AP number $on with SSID $current_ap" | tee -a /tmp/payload.log
    udhcpc -i wlan0
    while [ -z "$SUBNET" ]; do
        sleep 1 && find_subnet
    APMAC=$(iw wlan0 link | grep Connected | awk {print'$3'})
    [[ $DEBUG == 1 ]] && echo "AP MAC Address/BSSID: $APMAC" | tee -a /tmp/payload.log
    [[ $DEBUG == 1 ]] && iwconfig wlan0 | grep ESSID | tee -a /tmp/payload.log
    [[ $DEBUG == 1 ]] && ifconfig wlan0 | grep inet | tee -a /tmp/payload.log

function scan_network() {
    [[ $DEBUG == 1 ]] && echo "Found Subnet: $SUBNET" | tee -a /tmp/payload.log
    CIDR=$(echo $SUBNET | cut -d '/' -f 2)
    [[ $DEBUG == 1 ]] && echo "CIDR: $CIDR" | tee -a /tmp/payload.log
    if [ "$CIDR" -ge "$MAX_CIDR" ]
        [[ $DEBUG == 1 ]] && echo "Starting network scan" | tee -a /tmp/payload.log
        nmap $NMAP_OPTIONS $SUBNET -oN "$LOOT_DIR/$current_ap-$APMAC.txt" &>/dev/null 
        [[ $DEBUG == 1 ]] && echo "Network too large - skipping scan" | tee -a /tmp/payload.log
    echo $APMAC >> /tmp/nmap_scanned

function find_subnet() {
    SUBNET=$(ip addr | grep -i wlan0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//')
    [[ $DEBUG == 1 ]] && echo "Found subet for network $current_ap as $SUBNET" | tee -a /tmp/payload.log

function run() {
    while true; do
        while [ "$on" -le "$total_aps" ]
            if [ "$on" -ge 1 ]; then check_ap; fi
            let on=on+1
        sleep 5
        [[ $DEBUG == 1 ]] && echo Completed recon. Restarting... | tee -a /tmp/payload.log

function setup() {
    mkdir -p $LOOT_DIR
    touch /tmp/nmap_scanned
    killall wpa_supplicant

# Run payload


Home && poweroff || OpenAP

Link to comment
Share on other sites

Is it supposed to be a continuous execution of the script or is it a "fire up/execute/shutdown" approach to it? I.e. should the script run when starting up the device and then exit and shutdown the device or keep on running for longer periods of time? When implementing scripts/functionality from different sources, I most often use the methodology of keeping them separate at first to make sure it all works as intended and then merge it all into one set of code (if needed). In this case (without having put any time analyzing the functionality in depth), I would create an "umbrella script" that controls the two Hak5 scripts individually. In that way it's easier to identify problems and control the execution. It's of course possible to do in one file but it sometimes is difficult to get a good overview of the code and trap bugs. So, I would keep the two Hak5 scripts pretty much "untouched" and then create the "umbrella script" that is initiated at boot using /etc/rc.local and/or using a cron job if in need of executing the script over a longer period time when the device is up and running. As I'm writing this though, I realize that the device in focus is the Signal Owl and not the Pineapple as I thought when reading it all at first. So, anyway, since I have no owl in my zoo, I can't be specific about the execution using /etc/rc.local or cron, but since the more advanced Hak5 devices I own have these capabilities, I assume that it's possible even for the Signal Owl. In any way, I would start by splitting the scripts apart and create a new "umbrella script" file that controls the execution of the separate Hak5 scripts based on the conditions at hand when the device boots. When everything is working as intended, I would think of merging the scripts into one (if needed at all).

Link to comment
Share on other sites

Thank you for responding, the original idea was when for example when I got home, I would turn on my owl and have it automatically exfil my loot to c2, if I was elsewhere, it would start the attack. However I’m having issues trying to automatically exfil the files. 

I like the umbrella idea, but I don’t know how to do that, the signal owl is a payload based item, where the pineapple for example has the ability to have a GUI and have several attacks/recons available for you, but the owl’s primary goal is to do exactly what the payload says, no more, no less. (Like the shark jack, I think)


that’s why I attempted to have each payload as a function, and a simple script like if you don’t connect to home, attack, but I’m still learning.

home || test 

Link to comment
Share on other sites

OK, I see. Although, even if I'm not currently in possession of either the Signal Owl or the Shark Jack at the moment (I'm squeezing out the last bit of "summer" of 2020 before heading into the basement for fall/winter and more serious projects), I'm sure that both the Signal Owl and the Shark Jack aren't limited to payload scripting only. Like the WiFi Pineapple, LAN Turtle and Packet Squirrel both the Signal Owl and the Shark Jack is "full" Linux boxes with shell access so there are really more possibilities other than the built in Hak5 payload system. I'm running totally payload-less (in Hak5 terms) solutions on the three device types I mentioned using plain old bash and other common Linux features since the OpenWRT implementation allows a lot of what you can expect from an ordinary Linux system. It's in fact quite powerful in aspect of its implementation and totally possible to combine with Cloud C2 features without using true Hak5 payloads since C2CONNECT, C2EXFIL, etc. are plain binaries that can be used in any bash script, not just Hak5 payload scripts (although there of course are true benefits of using the Hak5 payload concept).

Link to comment
Share on other sites

  • 4 weeks later...

I've made a payload script that should more or less accomplish the scenario describe in this forum thread. The code isn't all that pretty and can be tidied up for sure. A lot of LED blinking that isn't really necessary and variables that can be reused in a more appropriate way. However... the payload should work. It at least does for me. It's available on my GitHub.


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...