JAL21 Posted August 12, 2020 Share Posted August 12, 2020 ok, so I'm new to this, but if I want to combine a couple of the payloads that's available at hak5 GitHub, can I for example make one payload that has wifi connect payload and the open ap Nmap my thought was to copy the payloads into a single payload and make the individual payload a function! Any tips or tricks would be nice! My goal is that if it connects to a specific network when it boots up, it will dump the loot to C2, but if it doesn't connect, it will automatically start the Open AP Nmap Scan this is what I have so far: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #!/bin/bash # This is a test to see if my network is in range, it will connect home and export the loot to C2 # if my network is out of range or can't connect to it, it will do the Open AP Attack! # Title: Simple WiFi Connection Example # Author: Hak5Darren # Version: 1.0 function Home() { # WiFi Client Setup WIFI_SSID="SSID" WIFI_PASS="Password" LED SETUP WIFI_CONNECT # optionally start SSH server # /etc/init.d/sshd start LED ATTACK C2CONNECT && C2EXFIL } function OpenAP() { # Title: Open AP Nmap Scanner # Author: Hak5Darren # Version: 1.0 # # Description: Scans for open access points, then connects to each and runs an Nmap scan saving logs to the loot folder # # LED SETUP: Scanning # LED ATTACK: Connected, running nmap scan # # See nmap --help for options. Default "-sP" ping scans the address space for fast host discovery. NMAP_OPTIONS="-sP" LOOT_DIR=/root/loot/open_ap_nmap_scan MAX_CIDR=20 DEBUG=1 function scan_wifi() { [[ $DEBUG == 1 ]] && echo Scanning for open access points | tee -a /tmp/payload.log iwlist wlan0 scan > /tmp/wifi_scan cat /tmp/wifi_scan | grep "Encryption key:off" -A1 | grep ESSID | sort | uniq | cut -c 28- | sed "s/.$//g" > /tmp/open total_aps=$(cat /tmp/open | wc -l) [[ $DEBUG == 1 ]] && echo Found "$total_aps" open access points | tee -a /tmp/payload.log } function check_ap() { current_ap=$(sed -n "$on"p /tmp/open) [[ $DEBUG == 1 ]] && echo "-------------------------------" | tee -a /tmp/payload.log current_ap_mac=$(cat /tmp/wifi_scan | grep "$current_ap" -B5 | grep Address | awk {'print $5'} | head -1) [[ $DEBUG == 1 ]] && echo Selected AP MAC: "$current_ap_mac" | tee -a /tmp/payload.log if grep -i -q "$current_ap_mac" /tmp/nmap_scanned; then [[ $DEBUG == 1 ]] && echo Skipping - Already scanned AP: "$current_ap" with MAC: "$current_ap_mac" | tee -a /tmp/payload.log else connect_wifi scan_network fi } function connect_wifi() { LED STAGE1 [[ $DEBUG == 1 ]] && echo Connecting to Open WiFi AP: "$current_ap" | tee -a /tmp/payload.log ifconfig wlan0 down iwconfig wlan0 mode Managed essid "$current_ap" ifconfig wlan0 up while(iwconfig wlan0 | grep Not-Associated); do sleep 1; done [[ $DEBUG == 1 ]] && echo "Connected to AP number $on with SSID $current_ap" | tee -a /tmp/payload.log udhcpc -i wlan0 while [ -z "$SUBNET" ]; do sleep 1 && find_subnet done APMAC=$(iw wlan0 link | grep Connected | awk {print'$3'}) [[ $DEBUG == 1 ]] && echo "AP MAC Address/BSSID: $APMAC" | tee -a /tmp/payload.log [[ $DEBUG == 1 ]] && iwconfig wlan0 | grep ESSID | tee -a /tmp/payload.log [[ $DEBUG == 1 ]] && ifconfig wlan0 | grep inet | tee -a /tmp/payload.log } function scan_network() { LED STAGE2 find_subnet [[ $DEBUG == 1 ]] && echo "Found Subnet: $SUBNET" | tee -a /tmp/payload.log CIDR=$(echo $SUBNET | cut -d '/' -f 2) [[ $DEBUG == 1 ]] && echo "CIDR: $CIDR" | tee -a /tmp/payload.log if [ "$CIDR" -ge "$MAX_CIDR" ] then [[ $DEBUG == 1 ]] && echo "Starting network scan" | tee -a /tmp/payload.log nmap $NMAP_OPTIONS $SUBNET -oN "$LOOT_DIR/$current_ap-$APMAC.txt" &>/dev/null else [[ $DEBUG == 1 ]] && echo "Network too large - skipping scan" | tee -a /tmp/payload.log fi echo $APMAC >> /tmp/nmap_scanned } function find_subnet() { SUBNET=$(ip addr | grep -i wlan0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//') [[ $DEBUG == 1 ]] && echo "Found subet for network $current_ap as $SUBNET" | tee -a /tmp/payload.log } function run() { while true; do setup scan_wifi while [ "$on" -le "$total_aps" ] do if [ "$on" -ge 1 ]; then check_ap; fi let on=on+1 done sleep 5 [[ $DEBUG == 1 ]] && echo Completed recon. Restarting... | tee -a /tmp/payload.log done } function setup() { LED SETUP mkdir -p $LOOT_DIR touch /tmp/nmap_scanned on=0 killall wpa_supplicant } # Run payload run } Home && poweroff || OpenAP Link to comment Share on other sites More sharing options...
chrizree Posted August 13, 2020 Share Posted August 13, 2020 Is it supposed to be a continuous execution of the script or is it a "fire up/execute/shutdown" approach to it? I.e. should the script run when starting up the device and then exit and shutdown the device or keep on running for longer periods of time? When implementing scripts/functionality from different sources, I most often use the methodology of keeping them separate at first to make sure it all works as intended and then merge it all into one set of code (if needed). In this case (without having put any time analyzing the functionality in depth), I would create an "umbrella script" that controls the two Hak5 scripts individually. In that way it's easier to identify problems and control the execution. It's of course possible to do in one file but it sometimes is difficult to get a good overview of the code and trap bugs. So, I would keep the two Hak5 scripts pretty much "untouched" and then create the "umbrella script" that is initiated at boot using /etc/rc.local and/or using a cron job if in need of executing the script over a longer period time when the device is up and running. As I'm writing this though, I realize that the device in focus is the Signal Owl and not the Pineapple as I thought when reading it all at first. So, anyway, since I have no owl in my zoo, I can't be specific about the execution using /etc/rc.local or cron, but since the more advanced Hak5 devices I own have these capabilities, I assume that it's possible even for the Signal Owl. In any way, I would start by splitting the scripts apart and create a new "umbrella script" file that controls the execution of the separate Hak5 scripts based on the conditions at hand when the device boots. When everything is working as intended, I would think of merging the scripts into one (if needed at all). Link to comment Share on other sites More sharing options...
JAL21 Posted August 13, 2020 Author Share Posted August 13, 2020 Thank you for responding, the original idea was when for example when I got home, I would turn on my owl and have it automatically exfil my loot to c2, if I was elsewhere, it would start the attack. However I’m having issues trying to automatically exfil the files. I like the umbrella idea, but I don’t know how to do that, the signal owl is a payload based item, where the pineapple for example has the ability to have a GUI and have several attacks/recons available for you, but the owl’s primary goal is to do exactly what the payload says, no more, no less. (Like the shark jack, I think) that’s why I attempted to have each payload as a function, and a simple script like if you don’t connect to home, attack, but I’m still learning. home || test Link to comment Share on other sites More sharing options...
chrizree Posted August 13, 2020 Share Posted August 13, 2020 OK, I see. Although, even if I'm not currently in possession of either the Signal Owl or the Shark Jack at the moment (I'm squeezing out the last bit of "summer" of 2020 before heading into the basement for fall/winter and more serious projects), I'm sure that both the Signal Owl and the Shark Jack aren't limited to payload scripting only. Like the WiFi Pineapple, LAN Turtle and Packet Squirrel both the Signal Owl and the Shark Jack is "full" Linux boxes with shell access so there are really more possibilities other than the built in Hak5 payload system. I'm running totally payload-less (in Hak5 terms) solutions on the three device types I mentioned using plain old bash and other common Linux features since the OpenWRT implementation allows a lot of what you can expect from an ordinary Linux system. It's in fact quite powerful in aspect of its implementation and totally possible to combine with Cloud C2 features without using true Hak5 payloads since C2CONNECT, C2EXFIL, etc. are plain binaries that can be used in any bash script, not just Hak5 payload scripts (although there of course are true benefits of using the Hak5 payload concept). Link to comment Share on other sites More sharing options...
chrizree Posted September 10, 2020 Share Posted September 10, 2020 I've made a payload script that should more or less accomplish the scenario describe in this forum thread. The code isn't all that pretty and can be tidied up for sure. A lot of LED blinking that isn't really necessary and variables that can be reused in a more appropriate way. However... the payload should work. It at least does for me. It's available on my GitHub. https://github.com/chrizree/Hak5-SignalOwl-Loot-or-Scan Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.